21/09/2018
08:56

Malspam campaign targeting Russia and Eastern European countries, spreads Cryakl ransomware


New variant of Cryakl ransomware spreading via an email in Cyrillic.
      
Cryakl


Campaigns of the ransomware called Cryakl targeting Russia and/or Eastern European countries, have been circulating in recent weeks.

TG Soft's C.R.A.M. (Anti-Malware Research Center) analyzed an  email included in a campaign spreading the malware Trojan "CryptCryAkl" on  September 09, 2018.

INDEX

==> How Cryakl reveals itself

==> How Cryakl works
 
==> The ransom demanded by Cryakl

==> Protection against ransomware

==> How to mitigate the damage
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails

How Cryakl reveals itself

The infection vector used by Cryakl is e-mail. Two malware campaigns spreading the Cryakl ransomware were identified on September 9 and September 21. In the picture below we can see the Cyrillic email (targeting Russia and Eastern European countries) related to the September 9 camapaign.
 We can't exclude that the examples given may change and other circulating mails can be different or translated into other languages.

?????? ????????????? ?? ???????? ???????????? - Mozilla Thunderbird
Da:                          
Oggetto: ?????? ????????????? ?? ???????? ????????????
A:                           
Здравствуйте.
 

Убедительно просим Вас погасить текущую задолженность до 1.11.2018 года.

На сегодняшний день сумма Вашей общей задолженности перед ООО «БухБИГ» составляет 24,712 рублей.

Если долг не будет погашен в указанные сроки, мы будет вынуждены обратиться в суд.
 
Отправляю еще раз, копию счета и договор.

С уважением,

Алексей Воронов.

 
1 allegato: ????????????2??????? .zip
 
 
The message that the unfortunate user receives, looks like those that occur when payment reminders are received in the mailbox.

The text (translated) asks to pay off an alleged debt before November 1, 2018 and deceives the user by writing the number "24,712 rubles" and the name of a company "BuhBIG". However what prompts the user to open the attachment urgently, is a threat written in the end of the email, that says:

"If the debt is not repaid within the specified time, we will be obliged to apply to the court."

 If you open the compressed attachment to see its contents, you should check the file type inside, regardless of the misleading name it has.

The Cryakl ransomware examined by TG Soft's C.R.A.M. is "triggered" by the execution of a file (.scr) inserted into an archive file, contained in another ".zip" file attached to a fake email.

In the case examined, the ".zip" file containing the malware and the malware itself are called "копия счета и договор" [translated= "copy of the account and contract"]. If the user opens and executes the ".scr" file, it will activate Cryakl Ransomware in the system.

  • File Name : <file_con_nome_cirillico>.zip
  • Size: 227.417 byte
  • Md5: 43270C7F68329D197BE21D27AFE37250
Inside the file "<file_with_cirillic_name>.zip", we find the file "копия счета и договор.scr". This, after its execution,  creates a copy of itself in the user's temporary folder which will then be launched to start the data encryption process. The mentioned executable, analyzed by TG Soft's C.R.A.M. (Anti-Malware Research Center) has the following characteristics:
  • File Name: копия счета и договор.scr
  • VirIT: Trojan.Win32.CryptCryAkl.AD
  • Size236.544 byte
  • Md5: 6C01E0F297DEBE4606CF2CAB510C38AB
The document file inside the computer will be encrypted and renamed like this: "email-vally@x-mail.pro.ver-CL1.5.1.0.id-2564879395-6255388384519840209810.fname-{ORIGINAL FILE NAME}.doubleoffset."
 
 
Back to top of page

How Cryakl works

Once the file "копия счета и договор.scr" is executed, it reruns and creates a temporary file in the following path "C:\Users\[USER]\AppData\Local\Temp\[NUMERO IDENTIFICATIVO]" with a name equal to the victim's ID number.

It then attempts to connect to the two C&C servers:
  • "dyrovpa9[.]beget[.]tech"
  • "www[.]vabel[.]fr"
transmitting the Ransomware version (1.5.1.0) in addition to the unfortunate user's ID number, with the following string"/inst.php?vers=CL%201.5.1.0&id=[NUMERO IDENTIFICATIVO]-248183364050830553060281&sender= HTTP/1.1".

It then proceeds by extracting a copy of itself in temp called "NOMECASUALE.exe" and executes it with the following command: C:\Users\[UTENTE]\AppData\Local\Temp\[NOMECASUALE].exe "C:\Users\[UTENTE]\AppData\Local\Temp\[NOMECASUALE].exe". This  re-run again before proceeding to the next step.
When the various preparation steps are finished, the last execution of "NOMECASUALE.exe" checks if the file is still present in"C:\Users\[UTENTE]\AppData\Local\Temp\[NUMERO IDENTIFICATIVO]"and, immediately after that, creates a registry key that sets the malware autostart.

HKCU\software\microsoft\windows\currentversion\run
[NUMERO IDENTIFICATIVO]C:\Users\[UTENTE]\AppData\Local\Temp\NOMECASUALE.exe

HKLM\software\microsoft\windows\currentversion\run
[NUMEROCASUALE] = [NUMEROCASUALE]

It then creates in each folder on the system the file "README.txt" containing the e-mail to contact for information on how to pay the ransom, as shown below:


Your files was encrypted! Write us:
vally@x-mail.pro
vally@x-mail.pro
vally@x-mail.pro
 

Now the data encryption
step begins, starting with the first folder in "A:\", enumerating all folders on the disk and all drives present.
Once the encryption process is finished and the ".doubleoffset" extension is added, the malware will execute some commands that allow the shadow copies to be deleted:


C:\Windows\system32\schtasks.exe "C:\Windows\system32\schtasks.exe" /Create /RU SYSTEM /SC ONCE /TN VssDataRestore /F /RL HIGHEST /TR "vssadmin delete shadows /all /quiet" /st 00:00

open schtasks /Create /RU SYSTEM /SC ONCE /TN VssDataRestore /F /RL HIGHEST /TR "vssadmin delete shadows /all /quiet" /st 00:00

 
The Ransomware then opens a message screen, inviting the user to write an e-mail for information on how to decrypt his files, to the address that will be shown.

Back to top of page

The ransom demanded by Cryakl

The picture on the right shows the screen with the e-mail address to contact to recover the now already encrypted files, after ransom payment.

The wallet listed for payment is.:

WALLET = 1FJ1evxv3eUimCrtujLt78M6Uk3QJfyqpd

The amount of the ransom required to decrypt the files, as of 09/24/2018 is 0.1 BTC.


0.1BTC = 561.13 €
0.1BTC = 660.61 USD (Dollari statunitensi) 

To date, the Wallet of the miscreants has received payments of 0.03979206 BTC.




**On 21/09/2018, a new campaign was found spreading a variant of the ransomware with different MD5.


  • File Name : <file_con_nome_cirillico>.zip
  • Size: 159.995 byte
  • Md58BB56E3AC67FD9DF2879D3C1BF61B3FE
inside is the file:
  • File Name: <file_con_nome_cirillico>.scr
  • VirIT: Trojan.Win32.CryptCryAkl
  • Size: 174.080 byte
  • Md50FF29C048FA497E7616FA42EE44F85AD


It is probably not redundant to mention that Ransomware is aimed at extorting money. For this reason, the files from which the encryption process is triggered are artfully modified to avoid being recognized by the most commonly used antivirus software, so that they can continue undisturbed with their encryption attempts and related ransom demand.

Considering all this, the interception of the malicious file cannot rely on classical methods, but must necessarily use other approach methodologies such as heuristic-behavioral. These technologies enable recognition of the behavior of the process itself once it is active, regardless of the carrier file, monitoring its execution and the activities performed.

It is important to know that:
  1. There is no assurance that software will be forwarded after payment to provide for de-cryption of the files taken hostage;
  2. Paying gives strength to cyber criminals who, with the gains made, will continue their extortion activities with even greater effort and even more sophisticated methodologies. It is therefore good to avoid feeding this "market."
 Below we will provide important tips for defense against Crypto-Malware and/or mitigation of its damage if you come in contact with ransomware such as Cryakl.

IOC

MD5:
8BB56E3AC67FD9DF2879D3C1BF61B3FE
43270C7F68329D197BE21D27AFE37250
6C01E0F297DEBE4606CF2CAB510C38AB
0FF29C048FA497E7616FA42EE44F85AD

URL:
dyrovpa9[.]beget[.]tech (C&C)
www[.]vabel[.]fr             (C&C)

Back to top of page

Protection against Ransomware / Crypto-Malware

Tecnologie euristico-comportamentali AntiRansomware protezione Crypto-Malware. integrate in Vir.IT eXporer PRO
Vir.IT eXplorer PRO can identify and block even this Crypto-Malware already in the initial stages of the data file encryption attack against PC/ SERVER.

As reported, the heuristic-behavioral AntiRansomware Crypto-Malware protection technologies built in Vir.IT eXplorer PRO, when properly installed, configured, updated and used, mitigate this type of attacks safeguarding from encryption, on average, at least 99.63% of PC and SERVER data files. Besides through Vir.IT BackUp we can recovery  encrypted files in the initial phase of the attack, up to 100% .
 
Back to top of page


How to mitigate Cryakl damage

When the "Alert" generated by Vir.IT eXplorer PRO appears on the screen (visible just below on the right ) the AntiRansomware protection Crypto-Malware technologies are already BLOCKING the malware.When this happens, avoid "panic", DO NOT close the window and perform the operations indicated:

  1. DISCONNECT the LAN NETWORK CABLE: This will physically isolate that PC / SERVER from any other computers connected with it on the Lan network while keeping the attack limited to that computer only.
  1. DO NOT REBOOT THE COMPUTER: We recommend that you do not turn off and/or reboot your PC/Server but contact, as soon as possible, our technical support by writing an email reporting the current situation to the address assistenza@viritpro.com. Then contact the technical support numbers 049.631748 and 049.632750, free of charge for customers with Vir.IT eXplorer PRO license, on business days Monday through Friday 8:30 a.m. to 12:30 p.m. and 2:00 p.m. to 6:00 p.m.
Videata protezione Anti-CryptoMalware integrata in Vir.IT eXporer PRO
Click to enlarge
99,63%*

Average percentage expectation of files saved from encryption by Vir.IT eXplorer PRO's Anti-CryptoMalware protection ==> See the disclosure

Back to top of page



You have Vir.IT eXplorer PRO on your computers

Tecnologie euristico-comportamentali AntiRansomware protezione Crypto-Malware. integrate in Vir.IT eXporer PRO
Tecnologie euristico-comportamentali AntiRansomware protezione Crypto-Malware. integrate in Vir.IT eXporer PRO
Tecnologie euristico-comportamentali AntiRansomware protezione Crypto-Malware. integrate in Vir.IT eXporer PRO

Vir.IT eXplorer PRO when properly installed, configured, updated and used following the Alert directions of AntiRansomware Technologies Crytpo-Malware protection, will allow you to safeguard from encryption, on average, AT LEAST 99.63% of your valuable data files.

In addition, through the technologies built into Vir.IT eXplorer PRO, capable of de-encrypting and restoring encrypted files, it is possible to de-encrypt/restore up to 100 percent of the files potentially encrypted in the initial phase of the attack.

These technologies are listed below:
  • For some types/families of Crypto-Malware Vir.IT eXplorer PRO can capture the private encryption key when it is available in the clear, that is the activation of the encryption process. By using the encryption key through the built-in tools of Vir.IT eXplorer PRO we will de-encrypt the encrypted files at the initial stage of the attack without losing any modifications.
  • For some types/families of Crypto-Malware Vir.IT eXplorer PRO the recovery is possible through Backup on-the-fly. This is a technology built into the resident shield, which automatically makes backup copies of the most common types of data files (files less than 3 MB in size). The backups made by Backup-on-the-fly allow files to be restored without losing any changes.
  • Vir.IT Backup. If de-cryption or file restoration using the two technologies listed above fail to recover all of the files encrypted in the initial phase of the attack, it will be possible to restore the missing files from the backup files generated by Vir.IT Backup.

You do NOT have AntiVirus-AntiSpyware-AntiMalware software that can block encryption from next-generation Crypto-Malware attacks...

If there is no tool in the system that can signal and block file encryption, in the specific case of Crypto-Malware attack we recommend:
  • DISCONNECT the LAN NETWORK CABLE.;
  • POWER OFF the PC / SERVER so to limit the number of encrypted files.
  • Contact your system technical support reporting the particular critical situation in place possibly referring to this information.

For more info please contact our administrative and commercial secretary by calling during office hours at 049.8977432.



C.R.A.M.
TG Soft's Anti-Malware Research Center
Back to top of page

 


*Average percentage of files saved from encryption by Anti-CryptoMalware technology integrated in Vir.IT eXplorer PRO determined based on attacks objectively verified by TG Soft's C.R.A.M. in October 2015.


Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: