Crysis Ransomware

Posted: February 19, 2016
Threat Metric
Threat Level: 10/10
Infected PCs 81,620

Crysis Ransomware Description


The Crysis Ransomware is a file encryption-based Trojan. The Crysis Ransomware exploits data encoding algorithms which typically would protect digital content for the purpose of making that data inaccessible and holding them for ransom. Since con artists will not honor any obligations regarding delivering a decryptor necessarily, malware researchers always espouse the use of backups as a safe and reliable data recovery strategy. A full removal of the Crysis Ransomware also requires edits to your system Registry and other OS components that are most easily handled by your automated anti-malware products.

The Danger of Playing a Game of the Crysis

A great many PC owners think of malware as being a mostly silent threat that only can harm your machine when you don't identify it. However, this narrow view of threatening software overlooks one of the most popular types of Trojans for 2015 and 2016: the file-encrypting Trojan. Threats like the Crysis Ransomware conduct initial attacks without significant symptoms, but, afterward, show clear signs of their presence that detach the visibility of the infection from the extent of potentially irreversible damage already incurred.

The Crysis Ransomware's initial installation includes a Registry-modifying exploit that enables the program to launch when Windows starts. The first half of its payload scans your computer for files falling within formats it deems worthy of being encrypted. While the Crysis Ransomware includes the usual documents, images and audio formats, the Crysis Ransomware also attacks some niche ones, compared to the older file encryptors malware experts have examined in the past few months. Some examples include Access databases, components of Apple software like iTunes, and replays of online gaming sessions.

All content following under the Crysis Ransomware's relatively broad net runs through an encryption algorithm, preventing your programs from opening them. They also are given a new extension, the '.the Crysis' string, appended to the end of every name.

The Crysis Ransomware's last act is to place ransom notes in different formats on your PC, as well as lock your desktop background to a BMP-based note. E-mail communications are its recommended method for procuring a decryption solution, which victims typically are expected to pay for in Bitcoin currency.

Taking the Crisis out of Your Computer Files

There is always the risk of gaining nothing from paying a ransom for your content. Given time, some PC security institutions may develop decryption solutions for the Crysis Ransomware's attacks that will not require a purchase. Before then, your clearest means of self-defense is to keep multiple backups in locations unlikely to be scanned by the Crysis Ransomware, such as password-protected servers or unattached devices.

Although a clear majority of file encryption threats travel through disguised e-mail attachments, malware researchers also have seen other infection vectors in use. The Crysis Ransomware's extension of choice could be a symptom of its sharing an installation strategy with the Mahasaraswati Ransomware: pirated installers for Crytek's the Crysis video game. Downloading illicit media is one of the shortest routes to exposing your PC to more than one kind of threat.

Properly deleting the Crysis Ransomware also requires deleting components that will conceal themselves in default Windows folders and other areas of your OS. Average PC operators can do so most comfortably and efficiently through scanning their systems with one or more anti-malware products. Since the Crysis Ransomware has no self-distribution mechanisms of note, malware experts warn to expect the possible presence of associated threats, as well, such as a Trojan downloader.

However you choose to remove it, the Crysis Ransomware clearly is only a crisis to the wallets of the ill-prepared.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Crysis Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%WINDIR%\System32\3A13.tmp.exe\3A13.tmp.exe File name: 3A13.tmp.exe
Size: 641.53 KB (641536 bytes)
MD5: cced409e95d6c2e44823381df3880d96
Detection count: 321
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\3A13.tmp.exe\
Group: Malware file
Last Updated: June 27, 2020
C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2110.exe File name: 2110.exe
Size: 778.75 KB (778752 bytes)
MD5: 2566cea080491a6e9c64102b66cb2d1a
Detection count: 239
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: July 15, 2020
%WINDIR%\System32\67E7.tmp.exe\67E7.tmp.exe File name: 67E7.tmp.exe
Size: 614.4 KB (614400 bytes)
MD5: 846b068b46c7e07fd375c5337b50476b
Detection count: 213
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\67E7.tmp.exe\
Group: Malware file
Last Updated: June 27, 2020
%WINDIR%\System32\731.tmp.exe\731.tmp.exe File name: 731.tmp.exe
Size: 916.48 KB (916480 bytes)
MD5: 7c7d821e85b6f5d237612a0ad63c5244
Detection count: 199
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\731.tmp.exe\
Group: Malware file
Last Updated: June 27, 2020
%SYSTEMDRIVE%\Users\clarissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1buld_0312.exe\1buld_0312.exe File name: 1buld_0312.exe
Size: 407.04 KB (407040 bytes)
MD5: 227ad659fd00bb172e7fe52dfa3cbb26
Detection count: 145
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\clarissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1buld_0312.exe\
Group: Malware file
Last Updated: July 16, 2020
%WINDIR%\System32\B7C9.tmp.exe\B7C9.tmp.exe File name: B7C9.tmp.exe
Size: 901.63 KB (901632 bytes)
MD5: 9390d7fcb41867482a31c355c311ba03
Detection count: 115
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\B7C9.tmp.exe\
Group: Malware file
Last Updated: June 27, 2020
%WINDIR%\System32\3CD.tmp.exe\3CD.tmp.exe File name: 3CD.tmp.exe
Size: 615.42 KB (615424 bytes)
MD5: 299ed986a6988eb277a59c377d72f538
Detection count: 103
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\3CD.tmp.exe\
Group: Malware file
Last Updated: June 27, 2020
%SYSTEMDRIVE%\Users\Administrator.APPSERVER\AppData\Roaming\0402.exe\0402.exe File name: 0402.exe
Size: 699.9 KB (699904 bytes)
MD5: 300e91cb7b02efe7bcaa66463779bd0f
Detection count: 59
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\Administrator.APPSERVER\AppData\Roaming\0402.exe\
Group: Malware file
Last Updated: June 26, 2020
%WINDIR%\System32\0303.exe\0303.exe File name: 0303.exe
Size: 594.43 KB (594432 bytes)
MD5: d3fb9d3162b8a5526658a82737700194
Detection count: 37
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\0303.exe\
Group: Malware file
Last Updated: June 26, 2020
C:\Users\ANTONINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\113_1.exe File name: 113_1.exe
Size: 358.91 KB (358912 bytes)
MD5: d514d2c83259736eb02e9c21c70cf7ce
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\ANTONINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: December 17, 2019
%SYSTEMDRIVE%\users\colly\appdata\roaming\1337\ransom_2018-08-14_19-22.exe File name: ransom_2018-08-14_19-22.exe
Size: 422.4 KB (422400 bytes)
MD5: 44ef51337df6719ef7ee3cfc56f7e5e7
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\colly\appdata\roaming\1337\
Group: Malware file
Last Updated: August 17, 2018
c:\users\julius\appdata\local\temp\y5sxvjna.part File name: y5sxvjna.part
Size: 528.38 KB (528384 bytes)
MD5: 681949435d7ea0b71d91078943411a39
Detection count: 21
Mime Type: unknown/part
Path: c:\users\julius\appdata\local\temp\
Group: Malware file
Last Updated: December 11, 2019
%ALLUSERSPROFILE%\system.exe\system.exe File name: system.exe
Size: 1.29 MB (1294336 bytes)
MD5: e78a07edb2dff90e3e1269d0aebfbe6f
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\system.exe\
Group: Malware file
Last Updated: June 26, 2020
%SYSTEMDRIVE%\users\dualog\appdata\roaming\microsoft\windows\start menu\programs\startup\scvhost_2018-08-04_20-31.exe File name: scvhost_2018-08-04_20-31.exe
Size: 233.98 KB (233984 bytes)
MD5: b955f87c1aa711e5c68a67d347df0cd6
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\dualog\appdata\roaming\microsoft\windows\start menu\programs\startup\
Group: Malware file
Last Updated: August 17, 2018
%SYSTEMDRIVE%\users\deryugina\appdata\roaming\microsoft\windows\start menu\programs\startup\afr5m4_payload.exe File name: afr5m4_payload.exe
Size: 94.72 KB (94720 bytes)
MD5: 2c695a9fe4385d0813853e209e15e691
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\deryugina\appdata\roaming\microsoft\windows\start menu\programs\startup\
Group: Malware file
Last Updated: August 17, 2018
%SYSTEMDRIVE%\users\honza\appdata\roaming\microsoft\windows\start menu\programs\startup\bacon_2018-08-06_23-51.exe File name: bacon_2018-08-06_23-51.exe
Size: 171.52 KB (171520 bytes)
MD5: b63a1a90e5a2d3508b868df705192e02
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\honza\appdata\roaming\microsoft\windows\start menu\programs\startup\
Group: Malware file
Last Updated: August 17, 2018
C:\Users\ander\AppData\Roaming\7b50d997.exe File name: 7b50d997.exe
Size: 338.94 KB (338944 bytes)
MD5: fea385d6b88e6cf0e5a3fa4a939bba43
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\ander\AppData\Roaming\
Group: Malware file
Last Updated: October 10, 2019
%SYSTEMDRIVE%\users\ry\appdata\roaming\cc08.tmp.exe File name: cc08.tmp.exe
Size: 457.21 KB (457216 bytes)
MD5: 2cd0b38ee73521578c487b744606c63c
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\ry\appdata\roaming\
Group: Malware file
Last Updated: February 21, 2020
%SYSTEMDRIVE%\users\administrator\appdata\roaming\microsoft\windows\start menu\programs\startup\pain_2018-08-05_00-46.exe File name: pain_2018-08-05_00-46.exe
Size: 233.47 KB (233472 bytes)
MD5: b8bb2bb277483583ec0279efdbbc95d2
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\administrator\appdata\roaming\microsoft\windows\start menu\programs\startup\
Group: Malware file
Last Updated: August 17, 2018
%SYSTEMDRIVE%\users\colly\appdata\roaming\1337\lula_12_2018-08-14_19-20.exe File name: lula_12_2018-08-14_19-20.exe
Size: 220.16 KB (220160 bytes)
MD5: 542975a6e1dd94fa38279b8419972d3f
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\colly\appdata\roaming\1337\
Group: Malware file
Last Updated: August 17, 2018

More files

Registry Modifications


The following newly produced Registry Values are:

Regexp file mask%APPDATA%\[RANDOM CHARACTERS]_201[NUMBERS]-[NUMBERS]-[NUMBERS]_[NUMBERS]-[NUMBERS].exe%APPDATA%\exe.exe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[RANDOM CHARACTERS]_201[NUMBERS]-[NUMBERS]-[NUMBERS]_[NUMBERS]-[NUMBERS].exe%appdata%\microsoft\windows\start menu\programs\startup\[RANDOM CHARACTERS]payload.exe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Skanda[RANDOM CHARACTERS].exe%APPDATA%\microsoft\windows\start menu\programs\startup\winhost.exe%APPDATA%\osk.exe%APPDATA%\setap[RANDOM CHARACTERS].exe%APPDATA%\Skanda[RANDOM CHARACTERS].exe%userprofile%\documents\system.exe%windir%\system32\payload.exe%WINDIR%\System32\Skanda.exe%windir%\syswow64\payload.exe

Related Posts

Home Malware Programs Ransomware Crysis Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.