CryBrazil Ransomware

The CryBrazil Ransomware is a file-locking Trojan that uses code from Hidden Tear and EDA2 for blocking media like documents or spreadsheets. Attacks by this threat include changes to filenames and the Windows desktop, as well as ransoming messages for selling the decryption tool. Have your anti-malware products block or delete the CryBrazil Ransomware, as appropriate, and keep secure, non-locally-stored backups for all your data-recovering purposes.

A Trojan's Plan for Extortion that's Stopped as Soon as It Starts

While file-locker Trojans' campaigns exist in regions as different as Japan, South America, and the United States, Brazil is one of many, recurring targets in the current year. Frequently, threat actors aren't building the Trojans for these attacks from scratch, but, instead, using most of the code of another source, with minor edits for collecting money. The latest variant of Hidden Tear, the CryBrazil Ransomware, was just made identifiable through its executable samples, but, already, has experienced a total disruption of its C&C infrastructure.

Although the Command & Control portion of the CryBrazil Ransomware's payload isn't operational currently, the Trojan's AES-based encryption is intact. This attack can 'lock' files such as XLS spreadsheets, PDF or DOC documents, JPG or GIF pictures, and other media, and add '.crybrazil' extensions to their names after the fact. Depending on the amount and size of the files, malware experts note that the attack could complete itself in just seconds, without symptoms, other than the name edits.

The CryBrazil Ransomware does create visual evidence afterward: an image that it adds to the user's wallpaper forcibly, along with an HTML ransoming message that it places on the desktop directly. Malware experts are finding Brazilian-targeting text only in both of these components. They also are unable to analyze the ransoming methods in use adequately due to the Web page containing no more than a link to a currently-down website (which redirects the browser to an unrelated domain). The background image does give the victim an e-mail address for negotiating, but no information on a ransom fee, time limit or other details.

Keeping the Count of Tears Down in Brazil

Because of the semi-public nature of the Hidden Tear's code, threat actors deploying file-locking Trojans almost identical to the CryBrazil Ransomware are abundant around the world. While it's payload is specialized for Brazilian victims, the administrator's country of origin is uncertain, and the program also makes use of some French-language components and Italian Visual Basic resources. Hidden Tear's encryption is effective against all media types virtually, without any regard for constraints like local language settings, even though some threat actors control their attacks for ruling out 'undesirable' residents of particular regions.

Malware experts also are confirming the CryBrazil Ransomware's use of fake PDF disguises for its installer, which may be an indication of the Trojan's campaign using spam e-mails for circulating. Users should be mindful of the risks of e-mail attachments pretending to be messages from coworkers, automated hardware or delivery services. Victims also can contact appropriate, experienced anti-malware researchers for decryption help, if they have no backups since many versions of Hidden Tear use non-secure encryption methods. Many anti-malware brands are blocking or removing the CryBrazil Ransomware with the heuristic detection of Hidden Tear automatically, as is true of other members of the family.

Without a payment-collecting server, the CryBrazil Ransomware has limited means of providing any profits to its authors. This problem is, however, not any protection from the portion of its payload, which dedicates itself to sabotaging your files. Just like the Ultimo Ransomware, the Curumim Ransomware, the BASS-FES Ransomware, the Lockify Ransomware, or other copies of Hidden Tear, the CryBrazil Ransomware is an upfront danger to any user with data that they're not preserving on a second device.