The CRYPSPORT ransomware appears to be targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised. Information about this ransomware is limited at this time. However, this article will be updated as more becomes available.
Capabilities
- File Encryption
Infection Chain
Infection Routine
Target Extension:
- It encrypts all files in the system as well as files found on the following drives:
- Fixed Drives
- Removable Drives
- Network Drives
- It avoids encrypting the following file types:
- .arp
- .exe
- .dll
- .sys
- .vxd
- .ini
- .lnk
- .msi
- .cab
- It avoids encrypting files found in the following folders:
- windows
- microsoft
- trend
- edr
- kaspersky
- app
- mcafee
- office
- netlogon
- It drops the following files as a ransomnote:
- {all encrypted path}\ReadMeAndContact.txt
Ransomnote:
File Reputation
Detection Name | Pattern branch/version |
---|---|
Ransom.Win32.CRYPSPORT.A Ransom.Win32.CRYPSPORT.B Ransom.Win32.CRYPSPORT.C Ransom.Win32.CRYPSPORT.B.note Ransom.Win32.CRYPSPORT.A.SM – One to Many detection | ENT OPR 15.505.00 |
Predictive Machine Learning
Detection Name | Pattern branch/version |
---|---|
Rapid Proliferation | In-the-cloud |
Rapid Proliferation is a mechanism to detect suspicious files that exceed the threshold by attaching the "Bad Rating" to the suspicious sample.
Behavior Monitoring
Policy ID | Pattern branch/version |
---|---|
RAN4056T – Generic DEL Shadow Copy commands Supported by ADC (Access Document Control) | BM OPR 1.907 |
Sandbox Solution
Detection Name | Pattern branch/version |
---|---|
VAN_RANSOMWARE | Sandbox Behavior |
Recommendations
- Make sure to always use the latest pattern available to detect old and new variants of CRYPSPORT Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.