Forbrukslån uten Sikkerhet | Pelinäppäimistö | Kredittkort | Strømpris Sammenligning | Beste Boligalarm | Hesteforsikring | Billigste Mobilselskaper | Advokat
Anti-VirusFeaturedRansomwareSecurityThe MSSP WorldZero Day Alerts

CUSTOMER ADVISORY WARNING: Variant of CryFile ransomware


 What is known?


  • November 17, 2017, enSilo’s Post-Infection Protection platform blocked in real-time, a variant of a CryFile ransomware and the 0-day detection rate in VirusTotal.

Technical analysis of cryfile:


The CryFile ransomware binary file contains the following static characteristics:

Filename: fdbe.exe
SHA256 Hash: 2cc830c530ae1c03d9c4a8ffb74aa39d4393f524177edb0166125d88d795e3be
File size: 23552 bytes
File Compile Time: 2017-09-20 12:54:20

On execution: CryFile ransomware does two main things:

1)  The CryFile ransomware encrypts some of the files on the affected system.
2)  Fills the affected system drive completely.

The CryFile ransomware encrypts some of the files on the affected system. The file types that the ransomware encrypts are:

1cd, 7z, accdb, backup, cd, cdr, dbf, doc, docx, dwg, jpeg, jpg, mdb, odr, pdf, psd, rar, rtf, sqlite, tiff, txt, xlsx, xls, zip, dt, ert, pst, mdf, ldf

The files that are encrypted are then renamed in the following format:

Figure 3.png

Figure 3: In some directories an encrypted file is created with a folder named .corrupt 

This folder contains the files that the ransomware didn’t fully encrypt. In addition, a file named DECRYPTKEY is created under the path C:exportKey. This file contains the generated key (AES key) wrapped by the public key that is used to encrypt the files.

Figure 4.png

Figure 4: Hardcoded RSA Public key -This public key is hardcoded and used in the encryption process. 

RSA Public Key value:


Encryption Begins:

  • Encrypting 16 bytes each time:
  • The ransomware does at most 0x32 encryption iterations
  • 32 bytes on the last encryption. 32 bytes are encrypted, but only 16 bytes are written to the file

Furthermore, the encryption process uses the rand function which gives a random number. This random number is used to decide how many bytes are written to the file. That means that some files can’t be decrypted.

Screen Shot 2017-11-22 at 08.32.56.png

Figure 5: The encryption process

Fills the affected system drive completely. The CryFile ransomware creates a file called Fill0 under the path C:fill and fills it with data until the drive is almost full.

Figure 6.png

Figure 6: Indicates how the C: volume was filled after the execution of this ransomware

Figure 7.png

Figure 7: Huge file – C:fillfill0 – identifies the large size of this file

The CryFile ransomware sample was executed in a controlled environment protected by enSilo platform .



Show More


Stephen Turner, the Director of Operations for predictiveIT, has spent the past 22 years involved in the technology realm and security. Stephen began his career in the United States Marine Corps as a Crypto Technician, before moving into the private sector. He has worked all facets of the Information Technology world including administration, security, consulting, project management, Director of Cyber Security and as a Chief Information Officer for nationwide organization where he was responsible for architecting the security infrastructure during the migration of the organization’s entire data center to the “cloud”. Stephen has trained as a Certified Ethical Hacker, Certified Information Systems Security Professional and as a Red Hat Certified Architect with a focus on Linux security.

Adblock Detected

Please consider supporting us by disabling your ad blocker