Home Malware Programs Ransomware Cryakl Ransomware

Cryakl Ransomware

Posted: July 28, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 192
First Seen: July 28, 2016
Last Seen: August 31, 2020
OS(es) Affected: Windows

The Cryakl Ransomware is a Trojan that enforces ransom demands against PC users by encrypting and blocking their data. The Cryakl Ransomware campaign forces victims into paying for data retrieval, and malware analysts continue stressing taking pre-infection steps for protecting your files. In addition to whatever procedures called for to recover your data, removing the Cryakl Ransomware as soon as possible through appropriate anti-malware products can keep any other content from coming under attack.

Why 'Windows' is Making You Pay for What's Yours

Taking files at their word based on their names is one of the many ways uninformed PC users are exploitable by threatening software. The Cryakl Ransomware is one of the newest threats taking advantage of this tactic, with a campaign targeting Windows users via a fake SVCHOST file (in this Trojan's case, named schvost.exe). Once on a new Windows machine, the Cryakl Ransomware tries to encrypt the contents of its hard drives.

The Cryakl Ransomware, like many file encryption Trojans, targets media according to the extensions each file uses. Its whitelist for encryption includes prolific formats, such as JPG images and DOC documents, as well as lesser-used ones, such as copyright-protected M4V videos. The list does not target any executable data or components essential for running any applications. The Cryakl Ransomware then uses a custom, asymmetric encryption algorithm for modifying their internal data, making them unreadable.

The Cryakl Ransomware renames the encrypted content with new extensions. Although other sources report the Cryakl Ransomware using different extensions, malware experts can only confirm the '.the Cryakl' tag. As a final act, the Trojan creates ransom messages in both image formats and text ones, all redirecting the victim to a Bitcoin payment procedure for buying a decryptor.

Taking the Crackle out of the Cryakl Ransomware

While the Cryakl Ransomware isn't a particularly old threat, most PC security products have good detection rates against it. A majority identify it generically, with a minority identifying the Cryakl Ransomware as a variant of the '.locky File Extension' Ransomware. Although the Cryakl Ransomware has no code-based connections to other threat families, some versions of its ransom message do share e-mail addresses with the '.777 File Extension' Ransomware, which could be indicative of the same developers managing in this new campaign.

Detecting the Cryakl Ransomware after it conducts its attacks does nothing to save any encrypted content, and paying the Cryakl Ransomware's ransom may not correlate with a real decryption service. Because of the innate vulnerability of local data and backups, malware experts advise keeping non-local backups that you could use to restore any damaged files. Kaspersky Lab also has provided a decryptor application at no charge that may reverse the encryption process, in some cases.

Even PC users with safe files should use reliable anti-malware tools when deleting the Cryakl Ransomware is required. Doing so promptly will stop any prospects of additional damage, such as seeing your content wiped after ignoring the Cryakl Ransomware's three-day 'time limit.' As usual, rushing to mind good security protocols is both safer and cheaper than following any advice given by a Trojan.

Update December 10th, 2018 — '.doubleoffset File Extension' Ransomware

The '.doubleoffset File Extension' Ransomware is a variant of the Cryakl Ransomware, a family of file-locking Trojans. Its attacks shouldn't damage the programs' executables but can harm most media formats, such as text documents, images or music, and stop them from opening. Having a comprehensive backup plan and a credible anti-malware product for removing the '.doubleoffset File Extension' Ransomware are mandatory steps for countering any infections.

Snap, Craykl, Pop is Coming Back

The Cryakl Ransomware isn't extinct, even though malware researchers don't see enough variations to make it a serious competitor against families like Hidden Tear,the Scarab Ransomware, or the Globe Ransomware. After maintaining two years of activity through minor updates like the '.fairytail File Extension' Ransomwar, there's another version in the wild in time for Christmas. Attacks by the '.doubleoffset File Extension' Ransomware include all of the expected features of a file-locking Trojan, such as pop-ups, file-renaming, and, of course, encryption.

Malware experts are confirming the '.doubleoffset File Extension' Ransomware's using fake Windows 'screen saver' files for installing itself, although the associated exploits may range from JavaScript-based browser attacks to spam e-mails or torrenting. It disguises its C&C connection for contacting the threat actor by using a traditionally HTPP-oriented port and may download and launch additional files, as well. However, it's the RSA encryption feature that forms the '.doubleoffset File Extension' Ransomware's defining feature as a way of blocking media.

Users can identify the locked files from both the extension (from the Trojan's name) that the '.doubleoffset File Extension' Ransomware appends, as well as other, prepended information: an e-mail address and an ID serial. Both of these details are parts of the '.doubleoffset File Extension' Ransomware's ransoming negotiations, which it advocates with the help of a Notepad file and an automatically-launching pop-up.

How notto Get Upset Over Your Files Getting Offset

While the '.doubleoffset File Extension' Ransomware's family is known for targeting Russian residents formerly, PCs around the world are vulnerable to RSA encryption similarly, which will block their files automatically. There is a free decryption solution for some versions of the Cryakl Ransomware, but, due to the updating of encryption algorithms being straightforward, malware experts recommend against assuming that they'll work. New file-locker Trojans, even variants of previous ones, like the '.doubleoffset File Extension' Ransomware, are most readily stopped from harming files by having backups for recovering after disinfection.

Spam e-mails are a known factor in the Cryakl Ransomware's distribution. Users could receive messages claiming that they've failed to pay legal fees, have a court appointment, or have broken homeowners' associations' regulations. Keeping the databases of your anti-malware services updated will help with identifying and removing the '.doubleoffset File Extension' Ransomware preemptively and accurately.

As small as a family as the '.doubleoffset File Extension' Ransomware's might be, its strategy for encryption isn't losing its viability any time soon. As malware researchers race with finding new versions of past Trojans, it remains up to the average PC owner to protect their digital property.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



5b2218963acb4c8327bde5e7709e4226 File name: 5b2218963acb4c8327bde5e7709e4226
Size: 768.6 KB (768607 bytes)
MD5: 5b2218963acb4c8327bde5e7709e4226
Detection count: 69
Group: Malware file
file.exe File name: file.exe
Size: 255.48 KB (255488 bytes)
MD5: defa18530a4c0becd7dc14bb6484adcb
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
file.exe File name: file.exe
Size: 273.92 KB (273920 bytes)
MD5: 326cb4b4e4a6cff116c2a9547040d473
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\Users\<username>\AppData\Local\Temp\IJKLOPQRST.exe File name: IJKLOPQRST.exe
Size: 390.65 KB (390656 bytes)
MD5: 199833c673f8d894b1b6f6789c195057
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Local\Temp
Group: Malware file
Last Updated: December 11, 2018
34ed2523a82ed23025cb7ad647069882 File name: 34ed2523a82ed23025cb7ad647069882
Size: 451.67 KB (451679 bytes)
MD5: 34ed2523a82ed23025cb7ad647069882
Detection count: 9
Group: Malware file
Last Updated: August 31, 2020
Loading...