{"id":1049,"date":"2024-08-27T15:48:46","date_gmt":"2024-08-27T15:48:46","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1049"},"modified":"2025-07-28T09:30:56","modified_gmt":"2025-07-28T09:30:56","slug":"crib-notes-crysis-ransomware-with-a-dash-of-political-mockery","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/crib-notes-crysis-ransomware-with-a-dash-of-political-mockery\/","title":{"rendered":"Crib Notes: Crysis \u2013 Ransomware with a dash of political mockery"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Crysis is a type of ransomware that has been around since early 2016. Essentially, once the payload has been opened, Crysis encrypts all your files and data and directs you to make a payment with bitcoin in order to recover your files.

Recently: <\/strong>Earlier this year,in the wake of numerous sanctions placed upon Russia placed by Western governments in response to the annexation of Crimea, Crysis was used in attacks with a political flavour \u2013 attacks which included a satirical political cartoon on the \u2018ransom letter\u2019 page.

An image of this ransom letter page is below:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Victims are forced to pay a six bitcoin ($6,500 USD) ransom in order to have their files decrypted. The ransom note gives those infected five days to purchase the decryption tool and warns that files will be permanently deleted if third party tools are used to try and recover data.

Technically: <\/strong>Now, let\u2019s take a look at some of the coding under Crysis\u2019 hood.

One of the ransomware\u2019s particularly interesting features is the encryption technique it uses. A combination of RSA and AES algorithms encrypt the files and the network share drive of the infected machine.  Also, it is able to infect both the Windows and MAC platforms as well as virtual platforms connected to the victim machine.   

Keeping with the encryption theme, another distinct characteristic is the encrypted file type extensions. Once on the victim\u2019s machine, file type extensions are changed to unique names in order to help mark the ransomware. Some of the file type extensions Crysis uses are below:
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

We found a number of ransomware samples this year, so let\u2019s look at the code from one such sample below:

MD5: 5a8f288a70d4f3eef99af34bb3d10217fc7fd6d6bb6a13c1c8db5aee7bef40b4<\/strong><\/p>\n\n\n\n

Filename: Dakini.exe<\/strong>

The file at the time of installation copies itself to locations like:-

%localappdata%\\%dakini%.exe

%windir%\\system32\\%dakini.exe

The following Registry value changes were also observed by the Malicious executable to run on system startup:-

HKEY_LOCAL_MACHINE\\\u00adSoftware\\\u00adMicrosoft\\\u00adWindows\\\u00adCurrentVersion\\\u00adRun

Once the file is encrypted it drops a \u2018How-To-Decrypt\u2019 \u201creadme.txt<\/strong>\u201d\/ \u201chow_to _decrypt.htm<\/strong>l\u201d on the \/User\/Desktop. In some cases, the Desktop Background is also changed to show ransom demands.

The variants identified in February 2017 were seen to exploit the Remote Desktop Protocol connections through brute-force attacks.

This variant \u2013 dubbed \u2018Sanctions 2017\u2019 \u2013 is a variant of the Crysis\/Dharma family and uses the \u201c.wallet\u201d file extension on encrypted files. The malware falls under the category of \u201cAdvanced Malware\u201d for the capabilities it shows such as information stealing and the ability to control voice recording features on infected machines.<\/p>\n\n\n\n

The exploitation phase of the threat cycle shows a few additional features like:<\/p>\n\n\n\n