Home / malware Ransom:MSIL/Crydap.A
First posted on 20 February 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:MSIL/Crydap.A.
Explanation :
Installation
This ransomware might arrive as a file named package.pdcr and seen being downloaded by TrojanDownloader:MSIL/Crydap.A.
When the ransomware is executed in the system, we have seen that it attempts to contact the following remote servers:
- annaflowersweb.com
- cloudnet.online
- jodielane100.com
- kundenserver.de
- shabanstore.com
- subzone3.2fh.co
It also creates a folder in %APPDATA% named PadCrypt and drops any of the following files:
- encrypted_files.dat - list of encrypted files
- HELP_YOUR_FILES.html - ransom note
- package.exe - copy of malware
- PadCrypt.exe - copy of malware
- unistl.exe - uninstaller
- wallpaper.bmp - ransomware wallpaper
It will also drop a copy of itself in your desktop with the file name PadCrypt.exe and IMPORTANT READ ME.txt file which contains encryption instructions.
It also creates the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\CurrentVersion\Run
Sets value: "PadCrypt"
With data: "%APPDATA%\PadCrypt\package.exe"
Payload
Encrypts files
When the ransomware successfully connects to any of the remote servers, it starts encrypting files in your default folders such as %User%\Download, %User%\Pictures, %User%\Documents.
It avoids default system folders like:
- C:\Documents and Settings
- C:\Program Files
- C:\Program Files (x86)
- C:\Recyclers
- C:\System Volume Information
- C:\Users
- C:\Windows
After encrypting files, the ransomware changes the desktop wallpaper to the following:
The ransomware has two ransom message versions. It indicates a few payment option such as Bitcoin, Ukash, Paysafecard:
If the user runs out of time before they send payment, they will see this message prompt:
The ransom victim also has the option to chat with the ransomware authors by launching the Chat/Live Support link found in the window. Currently, this cannot resolve to the remote server:
The ransomware also deletes shadow files to ensure that users can't restore files from local backup.
Analysis by Marianne MallenLast update 20 February 2016