Kristina Ransomware

Posted: November 7, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	9

First Seen:	August 14, 2018
Last Seen:	August 29, 2018
OS(es) Affected:	Windows

The Kristina Ransomware is a variant of the Crypt12 Ransomware, a file-locking Trojan that requires manual instructions from a remote attacker to block different types of media. Threats of the Kristina Ransomware's family are known for compromising PCs after direct, targeted attacks, which may involve previously collected logins or Remote Desktop-based exploits. Users impacted by this Trojan should disable all network connections from the infected PC and remove the Kristina Ransomware with an anti-malware product immediately before implementing any data recovery solutions.

Cybercrooks Taking a Direct Hand in Their Trojans' Attacks

While many threat actors are interested in making money from damaging or collecting a PC's data, most of them wish to do so without much interaction with their campaigns. Some Trojans, nonetheless, abandon this more automated plan of attack in favor of a 'hands-on' strategy, such as the previously-identified Crypt12 Ransomware. Malware experts are just beginning to see new, trivially-edited versions of that Trojan with a different name: the Kristina Ransomware.

The Kristina Ransomware keeps the remote panel-based control scheme of the old Trojan and, like the Crypt12 Ransomware offers options for selecting which drives to encrypt, but doesn't provide configuration choices for the formats of any individual files. Threat actors may use manual methods to introduce, install and launch the Kristina Ransomware, set it to load a file-locking, encryption attack through the panel's GUI, and then, optionally, hide the interface from the user.

The Kristina Ransomware also still uses the '.crypt12' extension to mark the content it locks. Not every file with this signature is encoded necessarily; the Kristina Ransomware excludes true data-enciphering for any files over a certain size automatically. However, malware experts still find that most types of media, such as pictures, documents, and spreadsheets, are at risk of suffering from encoding.

Turning Down a Lady with Bad Intentions

Due to not being capable of running its attacks without additional, remote support, the Kristina Ransomware is most likely distributing in a campaign using such methods as RDP exploits, Remote Access Trojans (or RATs), and phishing attacks that collect login combinations. Being able to decode one's files afterward is not guaranteed necessarily, whether or not you pay any ransom that the threat actor requires. Backing up your work to locations that aren't at risk is the only secure strategy that can keep the Kristina Ransomware from damaging media permanently.

Victims should disable all network connections when dealing with a Kristina Ransomware infection, which is likely to come with remote attackers having some degree of control over the PC. The Kristina Ransomware may run on any .NET Framework-compatible, Windows machine, although its symptoms, such as a visible panel, may not appear to the user. Having anti-malware software for eliminating the Kristina Ransomware and related threats that could be facilitating remote control over the PC is highly encouraged by malware analysts.

The Kristina Ransomware and the Crypt12 Ransomware that it comes from are both good reminders that users don't always need to be stupid for their media to be at risk. Cybercrooks who take a control-heavy view of their law-breaking activities are also likely to direct the attacks of Trojans like the Kristina Ransomware in ways that a user can't prevent just by rejecting obviously threatening downloads.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

c:\Users\<username>\desktop\c8654b503594d387accd75a406558b8a5ee52922e0cc724fbf432adc20991b34.exe

File name: c8654b503594d387accd75a406558b8a5ee52922e0cc724fbf432adc20991b34.exe
Size: 72.19 KB (72192 bytes)
MD5: 570e220c22810e4906272fbf24689dcf
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\desktop
Group: Malware file
Last Updated: August 14, 2018