This week, ID-Ransomware’s Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered a sample to confirm that it was indeed a new Crysis variant. This new version will append the .cobra extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware.
When this Cobra ransomware variant is installed, it will scan a computer for data files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].cobra. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[firstname.lastname@example.org].cobra.
It should be noted that this ransomware will encrypt mapped network drives and unmapped network shares. So it is important to make sure your network’s shares are locked down so that only those who actually need access have permission.
You can see an example of a folder encrypted by the Cobra Ransomware variant below.
When this variant encrypts a computer, it will also delete all of the shadow volume copes on the machine so that they can not be used to recover unencrypted files. It deletes them by running the vssadmin delete shadows /all /quiet command.
This ransomware will also create two different ransom notes on the infected the computer. One is theinfo.hta file, which is launched by an autorun when a user logs into the computer.
The other note is called Files encrypted!!.txt and can be found on the desktop.
Both of these ransom notes contain instructions to contact email@example.com in order to get payment instructions.
Finally, the ransomware will configure itself to automatically start when you login to Windows. This allows it to encrypt new files that are created since it was last executed.
It is not possible to decrypt the Crysis Cobra Ransomware
Unfortunately, at this time it is not possible to decrypt .cobra files encrypted by the Crysis Ransomware for free.
The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Crysis does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.
How to protect yourself from the Crysis Ransomware
In order to protect yourself from Crysis, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that contains behavioral detections such as Emsisoft Anti-Malware, Malwarebytes, or HitmanPro.Alert.
Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:
- Backup, Backup, Backup!
- Do not open attachments if you do not know who sent them.
- Do not open attachments until you confirm that the person actually sent you them,
- Scan attachments with tools like VirusTotal.
- Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
- Make sure you use have some sort of security software installed.
- Use hard passwords and never reuse the same password at multiple sites.
- If you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessibly only via a VPN.