View All R&D Articles

Crysis Ransomware Infection And Decryption Services

September 27, 2016

Crysis ransomware first appeared in February of 2016, and new strains of the software continue to pose serious security threats for both personal computer users and businesses. Crysis is a type of crypto-ransomware, which means that it encrypts the files on an infected computer so that they are unreadable. It then demands a ransom in exchange for decryption keys.

In most cases, Crysis infects a computer through email, and many victims aren’t aware that they’ve been infected until the encryption process is complete. If you think that Crysis has infected your computer, turn it off, unplug all media from it, and call Datarecovery.com at 1-800-237-4200. Our malware recovery experts can create a plan to start restoring your data as quickly as possible.

What is Crysis Ransomware (And How Does It Work)?

Crysis is a type of malware that infects your system and encrypts your files. Essentially, it encodes the files on an infected computer in such a way that only someone with a key can open them again. At this time, there is no known crack for its encryption scheme.

After the malware encrypts the infected computer’s files, it changes the computer’s desktop wallpaper to an image with an email address. When the victim sends an email to that address, the assailants instruct them to send a ransom with bitcoin, which is a digital currency.

This type of infection is devastating to both individuals and businesses. The ransom can range from 2-4 Bitcoins ($1,200 – $2400 as of writing), and, as with any criminal dealing, victims can never be sure that they will receive the key once they pay.

Even if the key works and a victim can decrypt their files, it is possible that malware will linger on the computer. Even worse, new versions of Crysis can harvest credentials from a computer, which gives the attackers a dangerous amount of access to the victim’s information.

Here are some of the distinguishing features of Crysis:

  • Crysis fools victims into clicking on malware with a double file extension trick. The file with the payload is an executable, but by using two file extensions, it can resemble a PDF, document, or other innocuous file.
  • The malware does not target specific file extensions. It can encrypt any file type, including system files.
  • It primarily uses RSA and AES-128 ciphers for encryption.
  • Because Crysis can encrypt all file types, including executables, it can make an infected computer unstable.
  • There are reports that new variants of Crysis can harvest credentials from infected computers, including user login information.
  • Crysis can infect both Windows and Mac devices.
  • Crysis attempts to delete volume shadow copies of files so that restoring your files with backups is not possible.
  • At least one strain uses an “autorun” to spread across attached devices. As such, a Crysis infection can be a serious network security risk.

Crysis is versatile, and because it’s capable of stealing user credentials, it may infect a computer multiple times. The best way to avoid an infection is to avoid opening email attachments from unrecognized sources.

How Does Crysis Ransomware Infect My System?

Crysis infects computers through several avenues, but it’s typically disguised as a non-executable or as a legitimate program, like WinRar or Microsoft Excel. While it primarily spreads through email, it could also appear on a compromised website.

Crysis ransomware often uses a double file extension. This can make it appear as a harmless type of file, like a .jpg or .pdf, but it acts as an executable. If a computer user clicks on the ostensibly harmless file, the malware begins infecting the computer and encrypting all of its files.

The program can spread throughout a network fairly quickly, but up-to-date antivirus software may prevent it from gaining a foothold. Because some variants of Crysis steal credentials, corporate information theft is a serious concern. Crysis infections on larger networks should be treated immediately by qualified ransomware experts.

Can I Disable or Remove Crysis Ransomware Encryption?

Security experts claimed that they were able to decrypt earlier variants of Crysis. However, newer variants use more sophisticated algorithms and cannot be cracked through brute force methods.

For this reason, our specialists attempt to locate backups and alternate versions of files if possible. We can also explore decryption options for older variants, and if necessary, we can organize a safe, secure ransom payment as a last resort.

If you believe that Crysis has infected your computer, we recommend turning the machine off, unplugging all media, and calling our ransomware specialists. We can begin formulating a plan to restore your files and remove the ransomware permanently while preserving your user credentials.

Though Crysis attempts to delete shadow copies of files, we may be able to locate backup copies that you weren’t aware of. The security specialists at Datarecovery.com can advise you on your options, and get your computer back in working order. Call 1-800-237-4200 to get started.