SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryakl (Back to overview)

Cryakl

aka: CryLock

There is no description at this point.

References
2020-09-13Twitter (@bartblaze)BartBlaze
@online{bartblaze:20200913:cryakl:3d29bf0, author = {BartBlaze}, title = {{Tweet on Cryakl 2.0.0.0}}, date = {2020-09-13}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/1305197264332369920}, language = {English}, urldate = {2020-09-15} } Tweet on Cryakl 2.0.0.0
Cryakl
2020-01-16Twitter (@albertzsigovits)Albert Zsigovits
@online{zsigovits:20200116:version:aadaa4d, author = {Albert Zsigovits}, title = {{Tweet on version 1.8.0.0 of CryAkl}}, date = {2020-01-16}, organization = {Twitter (@albertzsigovits)}, url = {https://twitter.com/albertzsigovits/status/1217866089964679174}, language = {English}, urldate = {2020-01-17} } Tweet on version 1.8.0.0 of CryAkl
Cryakl
2019-07HackMagFyodor Sinitsyn
@online{sinitsyn:201907:cryptoransomware:02f591e, author = {Fyodor Sinitsyn}, title = {{Crypto-Ransomware: Russian Style. Large-scale Research on Russian Ransomware}}, date = {2019-07}, organization = {HackMag}, url = {https://hackmag.com/security/ransomware-russian-style/}, language = {English}, urldate = {2020-01-08} } Crypto-Ransomware: Russian Style. Large-scale Research on Russian Ransomware
Cryakl
2018-07-17Kaspersky LabsKaspersky
@online{kaspersky:20180717:return:1dcb99e, author = {Kaspersky}, title = {{The return of Fantomas, or how we deciphered Cryakl}}, date = {2018-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/}, language = {English}, urldate = {2019-12-20} } The return of Fantomas, or how we deciphered Cryakl
Cryakl
2018-03-06Twitter (@demonslay335)Michael Gillespie
@online{gillespie:20180306:cryakl:4a313ab, author = {Michael Gillespie}, title = {{Tweet on Cryakl}}, date = {2018-03-06}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/971164798376468481}, language = {English}, urldate = {2020-01-07} } Tweet on Cryakl
Cryakl
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2016-02-02Blaze's Security BlogBartBlaze
@online{bartblaze:20160202:vipasana:cf5cdd6, author = {BartBlaze}, title = {{Vipasana ransomware new ransom on the block}}, date = {2016-02-02}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html}, language = {English}, urldate = {2020-09-15} } Vipasana ransomware new ransom on the block
Cryakl
2015-11-04Check PointCheck Point
@online{point:20151104:offline:c78ce9c, author = {Check Point}, title = {{“Offline” Ransomware Encrypts Your Data without C&C Communication}}, date = {2015-11-04}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/}, language = {English}, urldate = {2020-09-15} } “Offline” Ransomware Encrypts Your Data without C&C Communication
Cryakl
2015-11-02SophosSophos
@online{sophos:20151102:trojcryaklb:09148f2, author = {Sophos}, title = {{Troj/Cryakl-B}}, date = {2015-11-02}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx}, language = {English}, urldate = {2019-11-28} } Troj/Cryakl-B
Cryakl
2014-10-22Kaspersky LabsАртём Семенченко, Федор Синицын, Татьяна Куликова
@online{:20141022:cryakl:aaecc86, author = {Артём Семенченко and Федор Синицын and Татьяна Куликова}, title = {{Шифровальщик Cryakl или Фантомас разбушевался}}, date = {2014-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/}, language = {Russian}, urldate = {2019-12-16} } Шифровальщик Cryakl или Фантомас разбушевался
Cryakl
Yara Rules
[TLP:WHITE] win_cryakl_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cryakl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b45dc e8???????? 8bd8 8d55dc 8b45fc e8???????? }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   8d55dc               | lea                 edx, [ebp - 0x24]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     

        $sequence_1 = { 8d45e0 e8???????? eb11 8d45e8 50 }
            // n = 5, score = 300
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     
            //   eb11                 | jmp                 0x13
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax

        $sequence_2 = { e8???????? 807dd601 750a c60600 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   807dd601             | cmp                 byte ptr [ebp - 0x2a], 1
            //   750a                 | jne                 0xc
            //   c60600               | mov                 byte ptr [esi], 0

        $sequence_3 = { 8d45e0 e8???????? 8b4604 8b55cc 33c9 890c90 }
            // n = 6, score = 300
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   33c9                 | xor                 ecx, ecx
            //   890c90               | mov                 dword ptr [eax + edx*4], ecx

        $sequence_4 = { e8???????? 8d45e8 e8???????? 4e 0f850affffff }
            // n = 5, score = 300
            //   e8????????           |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   e8????????           |                     
            //   4e                   | dec                 esi
            //   0f850affffff         | jne                 0xffffff10

        $sequence_5 = { 8d45e8 e8???????? eb10 8d45d4 }
            // n = 4, score = 300
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   e8????????           |                     
            //   eb10                 | jmp                 0x12
            //   8d45d4               | lea                 eax, [ebp - 0x2c]

        $sequence_6 = { e8???????? 807dd700 7565 8d55e8 8bc3 e8???????? 3c02 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   807dd700             | cmp                 byte ptr [ebp - 0x29], 0
            //   7565                 | jne                 0x67
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   3c02                 | cmp                 al, 2

        $sequence_7 = { 8d55d8 8d45e0 e8???????? 8d45d8 }
            // n = 4, score = 300
            //   8d55d8               | lea                 edx, [ebp - 0x28]
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]

    condition:
        7 of them and filesize < 917504
}
Download all Yara Rules