New Cry Ransomware Attacks Computers via Google Maps API

safewithtech.jpg

Heard about the recent ransomware threat “Cry”?

Well, it was discovered on last week by security researchers “MalwareHunterTeam”.  Like many of the similar ransomware programs, this appears to come from a government agency called “Central Security Treatment Organization”.  If infected a computer, this ransomware will encrypt the victim’s files to .cry extension. Then, it will then demand approximately 1.1 bitcoins or $625 USD to provide the decryption key.
This ransomware, has already begun to known by a number of names including Cry, CSTO ransomware, etc. Lawrence Abrams, owner of BleepingComputer.com along with MalwareHunterTeam, and Daniel Gallagher, have analyzed some of the characteristics shown in this ransomware. For them, this ransomware can send information about the victim to the Command & Control server using UDP (User Datagram Protocol). It will also websites such as Imgur.com and Pastee.org to put victim’s information. And, to your surprise, it will choose Google Maps API to find the victim’s location with the help of nearby wireless SSIDs.

Abram explains how this ransomware deals with Imgur:

“Once the file has successfully been uploaded Imgur will respond with a unique name for the filename. This filename can be broadcasted over UDP to the 4096 IP addresses to notify the Command & Control server that a new victim has been infected”

Many details about this ransomware is still has to be unveiled. But one thing is sure – within two weeks, this ransomware have infected around 8000 computers!

How Cry Ransomware attacks your Computer?

Mostly, spam email attachments are the main delivery method of Cry ransomware. Those mails will have elements to convince the victim that the attachment is a reliable invoice, bank statement, ticket or any other harmless file. If the user download that file, the ransomware infects user’s computer and it searches for file types that are important for the user. Such important files become encrypted leaving all other parts of computer to remain functional so that it can demand payment of the ransom.

If a computer is infected with CRY ransomware, it may leave some ransom notes “Recovery_[random_chars].html” and “!Recovery_[random_chars].txtencrypts” on a user’s desktop. These notes inform that the user’s files have encrypted with .cry extension. And to decrypt those files, it demands 1.1 bitcoin ($625).

Leave a Reply

Your email address will not be published. Required fields are marked *