While everybody was expecting Locky, CryptXXX, or Cerber, Crysis swoops in to steal the show from the headliners

Jun 10, 2016 04:30 GMT  ·  By

Three weeks after ESET was announcing that the infamous TeslaCrypt ransomware was shutting down operations, the Slovakian security firm is now reporting on the ransomware that's taken TeslaCrypt's place.

Named Crysis, first versions of this ransomware were spotted online in mid-February. ESET claims that these were not some of the best they've seen, and the company's experts believe they might be able to crack their encryption system.

Unfortunately, they're not so confident when it comes to its latest versions, though, revealing that Crysis features a strong encryption mechanism that goes after local files, network shares, and even removable drives once it infects a target.

Crysis encrypts almost every file on your PC

Crysis doesn't bother targeting certain file extensions but encrypts every file it can get it hands on, except its own binaries and core Windows files. Even files without an extension won't escape.

Once the encryption process finishes, Crysis communicates to its C&C server, sends local computer details in order to identify the infected target, and tells it the number of files it encrypted.

At this point, the ransomware's operations are almost done, and all that's left to do is to drop a text file on the user's desktop named "How to decrypt your files.txt" and then change the user's desktop.

Victims have to email the ransomware's operators

A sign of its small lifespan can be observed in how victims pay to recover their files. While most ransomware families have a "decryption website" on the Dark Web, Crysis' authors didn't have time to set one up.

Instead, they use two email addresses found in the text file and the image used as the desktop wallpaper. Users are encouraged to send an email to these two addresses in order to recover their files.

ESET reports that the payment fee varies between €400 and €900 ($450 and $1,000). Of course, payment is handled via Bitcoin, to a wallet address each victim receives in the email reply.

Currently, ESET thinks that Crysis might be "The One," the ransomware that takes TeslaCrypt's place, already reporting seeing Crysis lay "claim to parts of its [TeslaCrypt's] territory."

The Crysis ransomware desktop wallpaper
The Crysis ransomware desktop wallpaper

Photo Gallery (2 Images)

New Crysis ransomware seems poised to take over from TeslaCrypt
The Crysis ransomware desktop wallpaper
Open gallery