What is known?
- November 17, 2017, enSilo’s Post-Infection Protection platform blocked in real-time, a variant of a CryFile ransomware and the 0-day detection rate in VirusTotal.
Technical analysis of cryfile:
The CryFile ransomware binary file contains the following static characteristics:
SHA256 Hash: 2cc830c530ae1c03d9c4a8ffb74aa39d4393f524177edb0166125d88d795e3be
File size: 23552 bytes
File Compile Time: 2017-09-20 12:54:20
On execution: CryFile ransomware does two main things:
1) The CryFile ransomware encrypts some of the files on the affected system.
2) Fills the affected system drive completely.
The CryFile ransomware encrypts some of the files on the affected system. The file types that the ransomware encrypts are:
1cd, 7z, accdb, backup, cd, cdr, dbf, doc, docx, dwg, jpeg, jpg, mdb, odr, pdf, psd, rar, rtf, sqlite, tiff, txt, xlsx, xls, zip, dt, ert, pst, mdf, ldf
The files that are encrypted are then renamed in the following format:
Figure 3: In some directories an encrypted file is created with a folder named .corrupt
This folder contains the files that the ransomware didn’t fully encrypt. In addition, a file named DECRYPTKEY is created under the path C:exportKey. This file contains the generated key (AES key) wrapped by the public key that is used to encrypt the files.
Figure 4: Hardcoded RSA Public key -This public key is hardcoded and used in the encryption process.
RSA Public Key value:
- Encrypting 16 bytes each time:
- The ransomware does at most 0x32 encryption iterations
- 32 bytes on the last encryption. 32 bytes are encrypted, but only 16 bytes are written to the file
Furthermore, the encryption process uses the rand function which gives a random number. This random number is used to decide how many bytes are written to the file. That means that some files can’t be decrypted.
Figure 5: The encryption process
Fills the affected system drive completely. The CryFile ransomware creates a file called Fill0 under the path C:fill and fills it with data until the drive is almost full.
Figure 6: Indicates how the C: volume was filled after the execution of this ransomware
Figure 7: Huge file – C:fillfill0 – identifies the large size of this file
The CryFile ransomware sample was executed in a controlled environment protected by enSilo platform .