Cry128 Ransomware

Posted: May 5, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	1,543

First Seen:	May 5, 2017
Last Seen:	June 27, 2023
OS(es) Affected:	Windows

The Cry128 Ransomware is part of the Crypton Ransomware family of file-encrypting Trojans. After the encryption routine locks your data, the Cry128 Ransomware creates messages redirecting you to its ransom-paying site for unlocking purposes. Malware experts recommend using any other recovery method, if possible, along with standard security practices and software for removing the Cry128 Ransomware.

Hibernating Trojans Spring Back to Life

Although large families of RaaS-based threats like the Cerber Ransomware, and even some versions of Hidden Tear, are responsible for the bulk of file-encrypting attacks this year, smaller groups of Trojans also are finding profit and success. Exemplifying this fact is the Crypton Ransomware (sometimes referred to as CryptON) and its new variant: the Cry128 Ransomware, which demonstrates some new behavioral changes in the program. However, the underlying core of the Trojan's payload still is to hold your files hostage for pay via a data-encoding attack.

Threat actors are launching the Cry128 Ransomware manually on compromised systems that they gain control over after brute-forcing their password security. Despite its origins linking closely with Russia, the Cry128 Ransomware targets English speakers with its ransoming notes primarily. The Cry128 Ransomware delivers these messages after it locks the victim's local files, such as documents.

The Cry128 Ransomware encrypts almost all media on the infected PC by using an AES-128-block algorithm with 1024-bit keys. Malware experts can confirm multiple extensions, all with similar formats, being appended, which could be symptomatic of different versions of this Trojan. All of them include personalized ID numbers, an address to the threat actor's TOR ransoming site, and a small, additional tag, such as an underscore. There's no way to open the locked media until they're decrypted again, although free solutions are available (see below).

Responding When Your Files Start Crying

The Cry128 Ransomware is threatening for not isolating your files according to their formats particularly. Instead of doing so, it encrypts everything that isn't in one of three directories, all of which are essential to the Windows OS. Due to variances between builds of the Cry128 Ransomware, your locked files may display larger or smaller sizes that vary between 16 and 132 additional bytes. Thanks to further research by Emsisoft, some variants of the Cry128 Ransomware are subject to free decryption tools, although malware experts warn that this solution isn't applicable to all versions of the Trojan universally.

Although the SOP of threat actors with Trojans like the Cry128 Ransomware is asking for ransoms through their websites and text messages, pay carries with it no certainty of any decryption service. You can best protect your files by keeping copies of them on peripheral devices or cloud servers that the Cry128 Ransomware can't delete. Having professional password security standards and anti-malware products for removing the Cry128 Ransomware immediately also may prevent infections from taking place.

The Cry128 Ransomware's two hundred dollar fee in Bitcoins isn't the worst fate that could happen to users who don't protect their PCs or data. However, it still is an unnecessary expense that anyone could prevent with a few minutes of work.

Cry128 Ransomware

Threat Metric

Hibernating Trojans Spring Back to Life

Responding When Your Files Start Crying

Leave a Reply