Analysis
MSIL/Crypren_V2_0!tr.ransom is a generic detection for a Ransomware Crypren trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %Desktop%\#DECRYPT MY FILES#.txt: This file is a txt file and will serve as ransom notes.
- %Desktop%\#解密我的文件#.txt: This file is a txt file and will serve as ransom notes in Chinese.
- %Desktop%\#РАСШИФРОВЫВАТЬ МОИ ФАЙЛЫ#.TXT: This file is a txt file and will serve as ransom notes in Russian.
- %Desktop%\WallPaper.bmp: This file is a picture and will serve as ransom notes.
- This malware was also observed to affect/encrypt files located on shared drive within the same subnet.
- This Ransomware also changes desktop background to ransom notes.
- Affected files of this Ransomware will use the prepending filenaming format as {Originalname.Ext}.[fileslocker@pm.me].
- This is a Crypren 2.0 version Ransomware which has the same characteristics/behaviours as other versions of Crypren. Generic description for Crypren:
MSIL/Crypren.FA2A!tr.ransom.
- Below is illustrations of the malware's Ransom notes: