W32/Cryakl_V1_5_1_0!tr.ransom

description-logoAnalysis

W32/Cryakl_V1_5_1_0!tr.ransom is a detection for a Ransomware Cryakl v1.5.1.0 trojan.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • README.txt: This txt file will serve as ransom notes. It will be dropped in every affected folder.
    • %AppData%\Local\Temp\XXXXXXXXXX.exe: This is a copy of the malware itself, where X is any capital letter.
    • %Temp%\[UID] : This text file shows the end of encryption.

  • Affected files of this Ransomware will use the filenaming format email-biger@x-mail.pro.ver-CL 1.5.1.0.id-UID-{Random}.fname-{Original file name.Ext}.doubleoffset.

  • This malware was also observed to affect/encrypt files located on shared drive within the same subnet.

  • This malware may also apply the following autorun registries:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • [UID] = “%CurrentUser%\%AppData%\Local\Temp\XXXXXXXXXX.exe”, where X is any capital letter.

  • This malware may connect to any of the following remote site(s):
    • hxxp://gcr{Removed}.beget.tech

  • Below is a sample illustration of the Ransom notes:

    • Figure 1: Ransom notes.


    • Figure 2: Ransom notes.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2023-02-27 91.00976
2022-10-11 90.06793
2021-04-05 85.00239
2019-07-15 70.00300 Sig Updated
2019-04-30 68.17900 Sig Updated
2019-04-09 67.67400 Sig Updated
2019-01-09 65.51600 Sig Updated
2019-01-08 65.49600 Sig Updated
2019-01-08 65.49300 Sig Updated
2019-01-07 65.47000 Sig Updated