New Cry Ransomware Strain Has Unusual Advanced Features

(Stu Sjouwerman) #1

Larry Abrams at Bleepingcomputer reported on a new strain with a few unusual features:

“A new ransomware that pretends to be from a fake organization called the Central Security Treatment Organization has been discovered by security researcher MalwareHunterTeam. When the Central Security Treatment Organization, or Cry, Ransomware infects a computer it will encrypt a victim’s files and then append the .cry extension to encrypted files. It will then demand approximately 1.1 bitcoins, or $625 USD, in order to get the decryption key.”

Abrams continued: “For example, like Cerber, this ransomware will send information about the victim to the Command & Control server using UDP. Furthermore, it will also use public sites such as and to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.”

This strain is clearly created by experienced coders that know what they are doing. Just look at the list of advanced features this Version 1.0 came out with. Looking at the resources spent to create this strain, you can expect a massive wave of attacks to follow soon. These bad guys have the resources and then some:

  • Uses UDP to communicate with the Command & Control Server to evade detection
  • Uses social networks to upload and host information about the victims using fake PNG files
  • Queries Google Maps API to identify victim location using nearby wireless SSID’s (!)
  • Deletes the system Shadow Volume Copies
  • Stays persistent after reboots Uses TOR payment site that requires the victim’s personal ID from ransomnote
  • Has functioning support page to communicate with the criminals
  • Includes a free (drag & drop, imagine that) decryption of one file to prove the files can be decrypted


I do find the use of Google maps and nearby SSIDs intriguing, but that doesn’t sound like a reliable source of location if one uses a laptop and is ‘mobile’ as a lot of us do/are these days. Does anyone know of a command line way to clear the recent SSIDs from a machine? I am thinking of a script that could be run periodically to limit the scope of nearby SSIDs. Of course that would make the current (more recent) list a more accurate representation of the machines location at the time of infection - have to think about that.

(kaysu A.) #4

yes the price for this ransomware is 1800$ …