News

Ranstop blocks CryCipher ransomware

Test subject – CryCipher ransomware

CryCipher is among of the first ransomware discovered at the beginning of this new year. There’s no indication, as of yet, if the ransomware is related/part of with any existing ransomware families.

CryCipher ransomware test facts

It’s also been a while since we saw this type of ransomware. CryCipher, upon execution of the payload, will launch a series of command line scripts, and by the end of the chain creates and imports its own PowerShell module, which will finally encrypt the files. CryCipher is also very fast but missed some of the files on our test machine. This could be because it filters out some file types and/or sizes or because simply there’s a bug somewhere in the code which scans for files to attack. This means that the encryption will be performed not by the payload itself, but by Powershell. This method might be confusing for both the user and the anti-malware solutions installed on the system, and could also be an attempt to evade detection.

Encrypted files can be recognized by their new extension “.locked”. Once done, CryCipher will drop a very basic ransomware note on the desktop, which instructs the user to contact the cybercriminals and pay the ransom. The email address is at least questionable, we do not believe it’s valid, and so far there are no free decryption tools available, so it’s likely the files are lost forever unless they were previously backed up.

CryCipher ransomware test results

Upon detection, Ranstop will terminate the attack in two steps. First, it will stop PowerShell and prevent any further encryption, then it will look down the chain and identify the process which used PowerShell to encrypt the files, stopping the executable while also quarantining it. As usual, once the attack is successfully blocked, the automatic file recovery engine kicks in and restores all the files touched by PowerShell and/or the payload itself.


Click here to watch TEMASOFT Ranstop blocking CryCipher ransomware (video)!

Learn how to protect against ransomware!

About TEMASOFT Ranstop

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.


 
 

This post was last modified on August 21, 2023 7:26 am

FM Team

Share
Published by
FM Team

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023