Ranstop blocks CryCipher ransomware

Test subject – CryCipher ransomware

CryCipher is among of the first ransomware discovered at the beginning of this new year. There’s no indication, as of yet, if the ransomware is related/part of with any existing ransomware families.

CryCipher ransomware test facts

It’s also been a while since we saw this type of ransomware. CryCipher, upon execution of the payload, will launch a series of command line scripts, and by the end of the chain creates and imports its own PowerShell module, which will finally encrypt the files. CryCipher is also very fast but missed some of the files on our test machine. This could be because it filters out some file types and/or sizes or because simply there’s a bug somewhere in the code which scans for files to attack. This means that the encryption will be performed not by the payload itself, but by Powershell. This method might be confusing for both the user and the anti-malware solutions installed on the system, and could also be an attempt to evade detection.

Encrypted files can be recognized by their new extension “.locked”. Once done, CryCipher will drop a very basic ransomware note on the desktop, which instructs the user to contact the cybercriminals and pay the ransom. The email address is at least questionable, we do not believe it’s valid, and so far there are no free decryption tools available, so it’s likely the files are lost forever unless they were previously backed up.

CryCipher ransomware test results

Upon detection, Ranstop will terminate the attack in two steps. First, it will stop PowerShell and prevent any further encryption, then it will look down the chain and identify the process which used PowerShell to encrypt the files, stopping the executable while also quarantining it. As usual, once the attack is successfully blocked, the automatic file recovery engine kicks in and restores all the files touched by PowerShell and/or the payload itself.


Click here to watch TEMASOFT Ranstop blocking CryCipher ransomware (video)!

Learn how to protect against ransomware!

About TEMASOFT Ranstop

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.