CryptON

CryptON, also known as Nemesis or X3M, targets servers running Windows OS and is distributed and executed manually via Remote Desktop Protocol (RDP) brute force attacks. CryptON does not contain a file extension list so it encrypts any and all file types it finds on the infected server. It does, however, exclude C:\Windows, C:\Program Files, and the user profile folder to avoid impacting the boot operation and other critical system processes. CryptON deletes system recovery points to prevent victims from restoring files without paying the ransom. According to Emsisoft’s analysis team, files encrypted by CryptON are 16 bytes larger than the original file and append the following extensions to the file names:

  • .id-<id>_locked
  • .id-<id>_locked_by_krec
  • .id-<id>_locked_by_perfect
  • .id-<id>_x3m
  • .id-<id>_r9oj
  • .id-<id>_garryweber@protonmail.ch
  • .id-<id>_steaveiwalker@india.com_
  • .id-<id>_julia.crown@india.com_
  • .id-<id>_tom.cruz@india.com_
  • .id-<id>_CarlosBoltehero@india.com_
  • .id-<id>_maria.lopez1@india.com_

UPDATE 4/4/2017: A new strain of this variant, called Cry9, began impacting victims around March 17, 2017. Attackers behind this campaign infected victims by conducting RDP brute force attacks and manually executing the ransomware once they gained access to the victims' servers. Files encrypted by Cry9 appear to be 16 bytes larger than the original files. File extensions associated with Cry9 include:

  • .<id>-juccy[a]protonmail.ch
  • .id-<id>
  • .id-<id>_[nemesis_decryptor@aol.com].xj5v2
  • .id-<id>_r9oj
  • .id-<id>_x3m
  • .id-<id>_[x3m-pro@protonmail.com]_[x3m@usa.com].x3m
  • .<id>
  • .<id>_[wqfhdgpdelcgww4g.onion.to].r2vy6

UPDATE 5/1/2017: A new version, dubbed Cry128, began appearing April 22, 2017. It is distributed via RDP brute-force attacks and deployed across networks from compromised servers. It deletes system recovery points to prevent victims from recovering their files using Shadow Volume Copies. It encrypts all file types with the exception of files located within C:\Windows, C:\Program Files, and the user profile folder to prevent the corruption of the boot process and other critical processes. File extensions associated with Cry128 include:

  • .fgb45ft3pqamyji7.onion.to._
  • .id_<id>_gebdp3k7bolalnd4.onion._'
  • .id_<id>_2irbar3mjvbap6gt.onion.to._
  • .id-<id>_[qg6m5wo7h3id55ym.onion.to].63vc4

 

  • Emsisoft provides more information about CryptON here.
  • Emsisoft provides a free decryption tool for CryptON here.
  • Emsisoft provides a free decryption tool for Cry9 here.
  • Emsisoft provides a free decryption tool for Cry128 here.