DynA-Crypt targets Windows OS and its method of distribution is currently unknown. This variant was developed using the Dynamite Malware Creation Kit and contains a number of individual executables and PowerShell scripts used to steal, delete, and encrypt data. Once a system is infected, DynA-Crypt first attempts to steal any sensitive data the victim may have on the screen or within certain programs. It takes screen captures, records system sounds, logs keystrokes, and steals data from Chrome, Firefox, Thunderbird, Skype, Steam, Minecraft, and TeamSpeak. After compiling this data, DynA-Crypt copies it to a folder named %LocalAppData%\dyna\loot\ and create a ZIP file named loot.zip to send to the hacker behind the campaign. After exfiltrating the data, DynA-Crypt then deletes the files and folders containing that data from the victim’s system. It also deletes everything on the desktop. It then proceeds to encrypt the remaining targeted files using a PowerShell script and an AES encryption script, appending .crypt to the end of the file names. DynA-Crypt deletes Shadow Volume Copies to prevent file restoration by the victim. The ransom payment amount is $50 worth of Bitcoin.
- Bleeping Computer has more information about DynA-Crypt here and provides a free decryption tool to any victim who requests one via a comment at the bottom of the page.