Cl Ransomware

The Cl Ransomware is a file-locker Trojan from the family of the Dharma Ransomware (AKA the Crysis Ransomware). Most infections will block diverse media formats of files on the computer and deliver ransom notes that sell a possible unlocking service to the victim. Users should protect sensitive files with backups on other devices and let their anti-malware solutions delete the Cl Ransomware once they identify it.

A Trojan Kit Family Struggles to Remain on Top

Definitively one of the largest families of file-locking Trojans in the current year, the Crysis Ransomware owes much of its widespread use by various threat actors as a testament to the usability of the Ransomware-as-a-Service model. Other, smaller groups also are part of the threat landscape (such as occasional forays from Hidden Tear or the Snatch Ransomware, and more persistent offerings from the STOP Ransomware). Despite that, the Crysis Ransomware group is maintaining an overall lead over most RaaSes. A newfound case in point, the Cl Ransomware, shows how little this 'business' needs adjusting for sliding fresh ransoms into its wallet.

Samples of the Cl Ransomware's executables arrive simultaneously as another relative of its kit-based family – the Bmd Ransomware. Although some versions of the Crysis Ransomware family utilize other software's UIs as distractions, this feature isn't universal. Malware experts can't confirm it for the Cl Ransomware. The Trojan still is, unfortunately, capable of locking files with AES encryption, which it secures with an RSA key.

The file-locking attack from which the Cl Ransomware's family owes most of its infamy will target and block files according to their formats and focuses (but not exclusively) on widely-used media like documents or pictures. A file name search for the Trojan's 'Cl' (note the lowercase 'L'), which the Trojan inserts along with other ransoming information, will help identify all the blocked content quickly. Most unlocking services in the public domain aren't compatible with modern versions of this family of Trojans. However, the Trojan does sell a ransom-based alternative with an accompanying pop-up alert (an HTA, or advanced HTML window).

Erasing the 'Ransom' Part of Illicit Software

The Cl Ransomware's extension and addresses are the few details that make it different from its hundreds of counterparts that also owe their existence to the Crysis Ransomware kit. Other examples in kind might include the Rxx Ransomware, the Wiki Ransomware, and the seminal Dharma Ransomware variant of years past. A commonality between nearly all of them is a feature for deleting the Restore Point data, which helps prevent users from getting their data without paying a ransom, even in otherwise backup-lacking situations.

However, effective backup management still can neuter the Cl Ransomware attacks. Backups on cloud devices or detachable drives eliminate the Trojan's means of accessing and deleting them. Malware researchers also rate this family, including the latest variants, as limited in obfuscation and not capable of evading detection through standard threat-identifying heuristics. Cyber-security products that include file-locking Trojans in their databases should flag this Trojan's installer and block it, including intentional downloads like a torrent and unintentional ones like an e-mailed document exploit.

Besides the importance of not rewarding criminals for attacking files, Windows users should remember common-sense steps like installing software updates, using good passwords, and avoiding running exploitable features like JavaScript. Although efficient anti-malware products can remove the Cl Ransomware, they can't reverse-engineer its encryption routine that locks media.

The Cl Ransomware is circulating with the name of 'mewler' currently. Although malware analysts aren't familiar with any significant Windows applications or other products with this name, it might be the only forewarning a victim has before permanent file-accessibility problems ensue.