CrySiS targets Windows OS and is distributed as malicious attachments in spam emails and disguised as installation files for legitimate software. Once it infects a system, it creates registry entries to maintain persistence and encrypts all file types, with the exception of system and malware files, on fixed, removable, and network drives. CrySiS then drops a ransom note on the desktop for the victim, providing two email addresses the victim can use to contact the attackers. The ransom demand is between 0.79 and 1.18 Bitcoin.
UPDATE 11/14/2016: The master decryption keys for the CrySiS ransomware variant have been released to the public.
UPDATE 11/29/2016: A new version of CrySiS has been discovered appending encrypted file names with .dharma or .wallet. This version cannot be decrypted at the time of this update.
UPDATE 3/2/2017: The master keys for the Dharma version of CrySiS have been released. Kaspersky used these keys to add decryption functionality for Dharma in the Rakhni Decryptor available on NoMoreRansom.org.
UPDATE 4/15/2017: A new version of CrySiS appends .onion to encrypted file names.
UPDATE 8/25/2017: A new version appends .arena to encrypted file names.
UPDATE 11/10/2017: A new version of CrySiS appends .cobra to encrypted files. The Cobra version of CrySiS deletes shadow volume copies, encrypts mapped network drives and unmapped network shares, and automatically launches when an infected user logs into Windows. A ransom note instructs victims to contact firstname.lastname@example.org for payment instructions. This version of CrySiS cannot be decrypted at the time of this update.
UPDATE 12/3/2017: A new version appends .java to encrypted files.
- We Live Security provides more information about CrySiS here.
- Kaspersky’s free decryption tool, RakhniDecryptor, can now decrypt CrySiS.
ESET also provides a free decryption tool for CrySiS, available here.