Crybrazil Ransomware Overview
CRYBRAZIL is a part of the ransomware family. This ransomware is currently targeting the Spain Country, found by the security researcher; it encrypts the victim's machine by using AES Encryption method.
It appends the filename of the affected file by adding .CRYBRAZIL extension in the last. It Only targets the C Drive along with more than 250+ file extensions.
This ransomware uses Hidden Tear Library which is easily available on GitHub.
This ransomware doesn’t contain any ransom amount information. It changes the desktop background wallpaper with the ransom note.
Flow Chart
Get peace of mind! Get rid of malicious programs instantly
Free Checkup & fix for your PC! Get rid of malicious programs instantly!
Technical Analysis of CRYBRAZIL Ransomware
File Name: crybrazil.exe
MD5: 10597E7C2E644D9BD346844F08328C0B
File Type: .EXE
Spread Via: Not Known Yet.
Detail Description of CRYBRAZIL Ransomware with Screenshots
Static Analysis
This ransomware has minimum requirement Dot Net Framework 4.0
Figure 1 Assembly Information
As shown below, this ransomware gathers the Username, Computer Name and targets the User Directory C:\Users; Once an encryption completed it appends the filename with .CRYBRAZIL Extension.
This ransomware also downloads the ransom note from the mentioned URL in the code.
This ransomware using the Hidden Tear Library which is easily available on the GitHub.
Figure 2 Gathers Information
As shown below, as per the code this ransomware is using a predefined password
(“AA151257B1462D642E7E21FF9C80F83CAF043C3572D5ED59BD283D20641E3C9D”) for encrypting files and move the ransomware to specific location C:\admin\Rand123\local.exe
Thereupon, this ransomware starts encrypting the folder based on their specific target directory, extension list, and password.
Figure 3 Encryption Process
As shown below, this ransomware encrypts the files based on the extension list. It has more than 256 file extensions list.
.dat .keychain .sdf .vcf .jpg .png .tiff .tif .gif .jpeg .jif .jfif .jp2 .jpx .j2k .j2c .fpx .pcd .bmp .svg .3dm .3ds .max .obj .dds .psd .tga .thm .yuv .ai .eps .ps .indd .pct .mp4 .avi .mkv .3g2 .3gp .asf .flv .m4v .mov .mpg .rm .srt .swf .vob .wmv .doc .docx .txt .pdf .log .msg .odt .pages .rtf .tex .wpd .wps .csv .ged .key .pps .ppt .pptx .xml .json .xlsx .xlsm .xlsb .xls .mht .mhtml .htm .html .xltx .prn .dif .slk .xlam .xla .ods .docm .dotx .dotm .xps .ics .mp3 .aif .iff .m3u .m4a .mid .mpa .wav .wma .msi .php .apk .app .bat .cgi .com .asp .aspx .cer .cfm .css .js .jsp .rss .xhtml .c .class .cpp .cs .h .java .lua .pl .py .sh .sln .swift .vb .vcxproj .dem .gam .nes .rom .sav .tgz .zip .rar .tar .7z .cbr .deb .gz .pkg .rpm .zipx .iso .accdb .db .dbf .mdb .sql .fnt .fon .otf .ttf .cfg .prf .bak .old .tmp .torrent .der .pfx .crt .csr .p12 .pem .ott .sxw .stw .uot .ots .sxc .stc .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .odb .frm .myd .myi .ibd .mdf .ldf .suo .pas .asm .cmd .ps1 .vbs .dip .dch .sch .brd .rb .jar .fla .mpeg .m4u .djvu .nef .cgm .raw .vcd .backup .tbk .bz2 .PAQ .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .edb .potm .potx .ppam .ppsx .ppsm .pot .pptm .xltm .xlc .xlm .xlt .xlw .dot .docb .snt .onetoc2 .dwg .wk1 .wks .123 .vsdx .vsd .eml .ost .pst
It searches an above extension in the target drive and encrypts it.
This ransomware also drops SUA_CHAVE.html in C:\users\%username%\Desktop
While opening the SUA_CHAVE.html in browser it contains the one hyperlink text O QUE ESTÁ ACONTECENDO? it redirects to the hxxp://3e24c23r2213122c1cxdsxsd[.]unaux[.]com/
Once the files are encrypted this ransomware it appends the filename by adding .Crybrazil extension in the last and also changes the desktop background wallpaper.
As shown above, it contains the message in Spanish language, after translation:
he who is the clown, but it is I who set fire to the circus.
Attention children
All your files have been encrypted, to retrieve them back please contact: losalphagroup@protonmail.com
IOC’s
Hash
10597E7C2E644D9BD346844F08328C0B
Associated Email:
losalphagroup@protonmail.com
Associated Network Activity
3e24c23r2213122c1cxdsxsd[.]unaux[.]com/crybrazil/write[.]php?info=PC-admin%20AA151257B1462D642E7E21FF9C80F83CAF043C3572D5ED59BD283D20641E3C9D
4[.]bp[.]blogspot[.]com/-11m8rWaFmWs/WuhochGTK0I/AAAAAAAAFTY/VkbbVhxYZDgW_jlbQ5lPbV8AEhyd4ihgQCK4BGAYYCw/s1600/ranso4[.]jpg
Are you worried about your PC health?
Check your PC Health for Free!
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
