Crysis

Description

Crysis ransomware was first identified in early 2016 and is a long-running family that later evolved into the Dharma ransomware line. It follows a Ransomware-as-a-Service (RaaS) model, allowing affiliates to customize email addresses, extensions, and ransom notes. Crysis primarily spreads via malicious email attachments, remote desktop protocol (RDP) brute-force attacks, and software cracks. It uses strong hybrid encryption—AES for file content and RSA for key protection—and appends various extensions such as .crySis, .wallet, or attacker-specified tags. It also deletes shadow copies to hinder recovery. Over the years, it has targeted businesses and individuals worldwide, with notable prevalence in healthcare, manufacturing, and professional services sectors. In 2017, law enforcement released master decryption keys through the NoMoreRansom project, enabling recovery for earlier versions, though newer builds remain active in the wild.

External Analysis
https://www.bleepingcomputer.com/news/security/crysis-ransomware-master-decryption-keys-released/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/crysis-ransomware-distributed-through-remote-desktop-services
https://securelist.com/crysis-ransomware/78775/
https://www.nomoreransom.org/en/decryption-tools.html
Urls
Screen
File servers
Screen
Chat servers
Screen
Admin servers
Screen