CrySiS ransomware virus

CrySiS ransomware is an ever-evolving file locking malware that uses multiple attack vectors to infect thousands

Examples of Crysis ransomware
Crysis ransomware is a file locking malware that was first spotted back in 2016 and since evolved into Dharma ransomware.

Examples of Crysis ransomware
Crysis ransomware is a file locking malware that was first spotted back in 2016 and since evolved into Dharma ransomware.

CrySiS ransomware, or otherwise known as Dharma, is a type of malicious software programmed to lock all personal files on the target system and hold them hostage until a ransom is paid in Bitcoins. Released in 2016, this malware mostly targets businesses and organizations with the help of various attack vectors, including targeted phishing emails, fake AV software installers, weakly protected RDP connections, and other methods. Malicious actors behind Ransom.Crysis ransomware release several new variants a month, each using different file extension that are appended to files after the locking process with AES, RSA and (sometimes) DES ciphers.

Once on the system, CrySiS ransomware prepares the machine for file encryption and then encrypts pictures, documents, databases, videos, music, and other files. The initial version appended .CrySis marker, although a multitude of different extensions has been used since then. A ransom note (such as README.txt, Decryption instructions.txt, Infohta, etc.) is also dropped to inform users about what happened to their files, and that they need to pay to retrieve access to them – crooks can provide CrySiS ransomware decryptor. Luckily, some of the Ransom.Crysis versions can be decrypted without paying criminals, as security researchers provided a working tool for free. For communication purposes, CrySiS virus authors provide two email addresses, such as [email protected] or [email protected].

Name CrySiS
Type File locking malware, cryptovirus
Alternative names Dharma ransomware, Ransom.Crysis
Encryption algorithm Malware employs a combination of RSA, AES and, in some cases, DES ciphers to lock all personal data, although it skips system and its own files
File extension This malware family uses extended extensions, i.e., it does not only appends a short combination at the end after the dot, but also incorporates user ID, and a contact email into the affected fine names (example of an encrypted file:[[email protected]].asd)
Ransom size Varies; the original version asked for 2.5 – 3 BTC
Ransom note Malicious actors initially provided one ransom note README.txt; in later versions, two ransom notes are usually dropped on the system – Info.hta and FILES ENCRYPTED.txt
Contact Crybercriminals use a variety of contact emails, depending on the version of malware 
Decryption methods unfortunately, only some of the older versions of CrySiS can be decrypted with the help of ESET [direct download], Avast [direct download] and Kaspersky [direct download] decryptors. Newest versions can only be decrypted by crybercriminals, although there is small chance of recovering at least some of the lost data with third-party software – check our recovery section below for details
Ransomware removal You should remove CrySiS ransomware (after you make a copy of encrypted files, but before you attempt file recovery) with the help of reputable anti-malware software – perform a scan in Safe Mode if it does not work in normal mode
System fix Ransomware alters the Windows registry and may corrupt system files. If you found your computer suffering from stability issues after malware termination, employ repair tool Reimage Reimage Cleaner to fix virus damage on the system

Ransom.Crysis infection and preparation routine

Before proceeding with the encryption routine, Crysis ransomware performs the necessary changes within the Windows operating system to lock all files on the hard drive, external drives, as well as networks without interruptions.

In most cases, users will be shown the User Account Control warning – if allowed, it will be impossible to stop the infection spread. A malicious executable then creates entries within  %AppData%, %Temp%, or other folders, which consequently begins the infection process of Ransom.Crysis.

Here are some of the malicious changes performed by Ransom.Crysis ransomware virus:

  • Makes changes within Windows registry to establish persistence
  • Uninstalls anti-virus software (if the attack vector was performed via the RDP)
  • Deletes Shadow Volume Copies by using vssadmin delete shadows /all /quiet command and disables Windows startup to prevent easy recovery
  • Collects technical PC data and number of encrypted files on the system
  • Attempts to escalate privileges on some Windows systems
  • Sends appropriate information to Command and Control server

When malware succeeds in terminating anti-malware software within the computer, Crysis can operate without interruption. In such a case, we suggest accessing Safe Mode with Networking and dealing with the infection from there.

Crysis ransomware uses dozens of different file extensions and contact emails

The best-known versions of CrySis virus are Dharma ransomware and Arena ransomware. Due to similarities found in two of them, security experts often call the group of these two cyber threats as CrySiS/Dharma ransomware family.

There are hundreds of different file extensions CrySis ransomware uses to append files with after encryption, some of the previously used markers include: 

CrySiS ransomware encrypted files

CrySiS ransomware encrypted files

Following data encryption, Arena CrySiS ransomware delivers a ransom note. Typically, it creates two files – HTML file that opens automatically on the affected screen, and the TXT file that is placed on the desktop. These files might be called Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, etc. Authors of the malware tell victims to contact them in order to recover their files:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key the recovery is impossible! To get the decoder and the original key, you need to write us at the email: [email protected] with subject “encryption” stating your id.
Do not waste your and our time on empty threats. Responses to letters only appropriate people are not adequate to ignore. P.S. only in case you do not receive a response from the first email address within 48 hours, please use this alternative email [email protected].

During the evolution of CrySiS virus, developers changed contact email addresses as well. Crooks are known for using these emails to communicate with victims:

Security experts do not recommend following criminals’ instructions and paying the ransom. [1]Different versions of the virus demand to pay from 0.5 to 1 Bitcoin for the possibility to restore encrypted data. However, there’s no guarantee that crooks will keep their promise. Additionally, CrySiS ransomware, as well as some variants, are decryptable. Therefore, paying the ransom is a waste of money.

An image of CrySiS ransomware virus ransom note
CrySiS ransomware brute-forces its way on the computers by exploiting RDP vulnerabilities and then drops a ransom note demanding payment once the encryption of the infected system is done.

An image of CrySiS ransomware virus ransom note
CrySiS ransomware brute-forces its way on the computers by exploiting RDP vulnerabilities and then drops a ransom note demanding payment once the encryption of the infected system is done.

Before starting the data recovery procedure, you have to remove CrySiS ransomware from the PC. It’s necessary because while malware remains on the system, it can easily encrypt files repeatedly. Nevertheless, you should also copy over all the encrypted data before Ransom.Crysis termination if you have no backups available, as deleting malware might permanently damage files.

For CrySiS removal, you should employ SpyHunter 5Combo Cleaner, Malwarebytes, or other reputable anti-malware software. If you are having issues within the normal mode, you should access Safe Mode with Networking as per the instructions below. Then, proceed with data recovery procedures – the success rate depends on which version of CrySiS ransomware you are dealing with. Additionally, if you noticed that your machine works sluggishly or crashes, we suggest using Reimage Reimage Cleaner for malware damage fix.

Crysis Master Key leaked: free decryptor is already here!

We have some great news for victims of CrySiS ransomware and for all victims infected with XTBL ransomware variants (these viruses typically append [victim’s ID].[email@address].xtbl file extensions to encrypted data). Shockingly, an unknown individual has registered on one security-related Internet forum and shared master keys[2] for all variants of ransomware in November 2016.

The individual shared keys in the form of a header file, which gives an idea that he or she is very closely related to this ransomware project or even is one of its developers. .XTBL viruses are known to be greedy and ask for enormous ransoms, so we are sure that such news is going to bring a lot of joy for victims who have lost their files in the past.

If you are a victim of the Crysis ransomware project, we hope that you still have encoded files on the computer, because malware experts have rapidly used leaked keys to update a Crysis decryptor.[3] You can find its download link in data recovery instructions under this post. Good luck and stay safe!

CrySiS ransomware decryption tools
Several free tools exist that can help victims to recover their files for free

CrySiS ransomware decryption tools
Several free tools exist that can help victims to recover their files for free

Criminals switched from malicious spam emails to RDP attacks

Once Crysis malware emerged, it was distributed via malicious spam emails that included some infected attachment. If a victim was tricked into opening it, the malicious payload was dropped on the system.

However, in September 2016,[4] malware researchers reported about a new method which CrySiS ransomware uses to infiltrate computers. The virus now uses Remote Desktop Protocol (RDP) to infiltrate computers instead of the previously practiced distribution using spam emails and deceptive software updates. The first attacks were spotted in Australia and New Zealand.

This distribution strategy allows searching the Internet for unprotected RDP channels and connecting to them. The computer admin’s password required to do that can be extracted by brute-forcing malicious attacks and finding a crack in the system.

What is especially concerning is that after gaining access to the Remote Desktop Protocol, the cyber criminals can install CrySiS not only on the hacked computer but on other devices connected via the same network (printers, routers, NAS, etc.) or even brute-force their way into the nearby computers.

This technique is not unprecedented, though. It has been used by the DMA Locker, Apocalypse, and several other ransomware and was proven successful. The ever-developing viruses are yet another reminder of the importance of keeping ourselves protected [5].

Furthermore, in February 2017, TrendMicro research team[6] has revealed some staggering statistics, indicating that Crysis has doubled the number of brute force attacks against corporations and institutions just within the month of January 2017.

The parasite which had previously targeted mainly Australia and New Zealand is now expanding to the rest of the world, and the experts keep recording a growing number of attacks in Europe and US. The virus especially focuses on healthcare institutions and looks for ways to infiltrate their inner networks. Brazil, Argentina, and Turkey suffered from the malware the most.

In particular, the attacks are carried out by searching for open RDP ports and then identifying whether the devices connected to these networks are some corporate computers. If they find that this is the case, hackers continue the attack and brute-force their way into the targeted computers by cracking the login name and password.

CrySiS virus uses RDP for propagation
CrySiS ransomware started using brute-force attacks through RDP in order to infect victims.

CrySiS virus uses RDP for propagation
CrySiS ransomware started using brute-force attacks through RDP in order to infect victims.

Tips to avoid ransomware attack

One of the main reasons why Crysis ransomware is so successful is due to a variety of distribution techniques used by its authors. A more diverse approach allows malicious actors to infect users more efficiently, as many victims do not protect their PCs comprehensively.

Security experts prompt users to proceed with the following advice[7].

  • Protect their computers with a reliable anti-virus and anti-spyware program.
  • Enabling firewall.
  • Install system and software updates regularly.
  • Always check for the software updates on the official websites rather than downloading them from random sites.
  • Do not open suspicious emails, especially spam.
  • Avoid visiting obscure and unreliable file sharing websites.
  • Refrain from downloading unknown software on your computer.

Since CrySiS is often spread via fake anti-malware software installers, it is important to download such files only from vendor’s websites, and never trust pop-ups and notifications which claim that your system is infected and needs to be scanned with anti-malware software provided on the site.

Instructions to remove CrySiS virus

Please, do not try to remove CrySiS ransomware manually. It’s a complex cyber threat that makes numerous changes to the system and might inject malicious code into legit system processes. Therefore, you should rely on reputable security software and let it remove this cyber threat without causing more damage to the system.

For CrySiS removal we recommend using Reimage Reimage Cleaner or Malwarebytes. However, there might appear obstacles which hinder successful elimination. But our team of experts has prepared instructions which should help you tame the virus and initiate the full system scan. Please check them below.

But before you do run the scan, make sure that your antivirus and malware removal utilities are updated to their latest version. Otherwise, the software may not be able to detect and delete CrySiS from your system, so the virus will continue rampaging on your computer.

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove CrySiS using Safe Mode with Networking

To remove ransomware files with the help of Safe Mode, use a guide provided below:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CrySiS removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CrySiS using System Restore

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CrySiS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Being a CrySiS ransomware victim, you can be offered by its developers (e.g. hackers) to purchase a decryption tool which will supposedly solve all of your problems and recover the files that it has locked. DO NOT do that! With the cyber criminals, you have no guarantees that you will receive the decryption key or that it will be able to decrypt the locked files. You better eliminate the virus from your PC using Reimage Reimage Cleaner and use the data recovery methods provided below to try redeeming at least a small portion of your precious files.

If your files are encrypted by CrySiS, you can use several methods to restore them:

Opting for Data Recovery Pro method

Data Recovery Pro can be considered one of options capable of helping you recover your encrypted data. This program is designed to provide users the professional data recovery service. To use it properly, follow these guidelines: 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by CrySiS ransomware;
  • Restore them.

Using Windows Previous Versions feature

Windows Previous Versions feature is one of system features helping users recover their data after unexpected changes. In this case, you can try using this feature to recover your data after ransomware attack. NOTE: this method only valid if the System Restore function is enabled. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer data recovery method

The third data recovery method employs ShadowExplorer software which relies on Shadow Volume Copies. With their help, this program can recover damaged files. However, in this case, it is really important to check whether the ransomware did not remove these Shadow Volume Copies. If you are lucky enough, follow these steps here:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Using Crysis ransomware Decryptor

You can recover all your files for free using a special decryption software that has been updated on after one stranger leaked Crysis Master keys online. You can download the decryptor here. If you need more extensive details on how to use the decrytor, please check out the instructions provided by Kaspersky.

Additionally, other tools have been released that work with some Crysis versions:

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CrySiS and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-02-17 at 07:43 and is filed under Ransomware, Viruses.