CRYPSPORT Ransomware Information

- Updated:
- 5 Dec 2019
- Product/Version:
- Apex One 2019
- Deep Discovery Email Inspector 3.5
- Deep Discovery Inspector 5.5
- Deep Security 12.0
- InterScan Messaging Security Suite 9.1
- Interscan Messaging Security Virtual Appliance 8.5
- Interscan Web Security Virtual Appliance 6.5
- OfficeScan XG
- ScanMail for Exchange 14.0
- Worry-Free Business Security Standard 10.0
- Platform:

Summary

The CRYPSPORT ransomware appears to be targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised. Information about this ransomware is limited at this time. However, this article will be updated as more becomes available.

Capabilities

File Encryption

Infection Chain

Infection Routine

Target Extension:

It encrypts all files in the system as well as files found on the following drives:
- Fixed Drives
- Removable Drives
- Network Drives
It avoids encrypting the following file types:
- .arp
- .exe
- .dll
- .sys
- .vxd
- .ini
- .lnk
- .msi
- .cab
It avoids encrypting files found in the following folders:
- windows
- microsoft
- trend
- edr
- kaspersky
- app
- mcafee
- office
- google
- netlogon
It drops the following files as a ransomnote:
- {all encrypted path}\ReadMeAndContact.txt

Ransomnote:

Ransomnote

Details

File Reputation

Detection Name	Pattern branch/version
Ransom.Win32.CRYPSPORT.A Ransom.Win32.CRYPSPORT.B Ransom.Win32.CRYPSPORT.C Ransom.Win32.CRYPSPORT.B.note Ransom.Win32.CRYPSPORT.A.SM – One to Many detection	ENT OPR 15.505.00

Predictive Machine Learning

Detection Name	Pattern branch/version
Rapid Proliferation	In-the-cloud

Rapid Proliferation is a mechanism to detect suspicious files that exceed the threshold by attaching the "Bad Rating" to the suspicious sample.

Behavior Monitoring

Policy ID	Pattern branch/version
RAN4056T – Generic DEL Shadow Copy commands Supported by ADC (Access Document Control)	BM OPR 1.907

Sandbox Solution

Detection Name	Pattern branch/version
VAN_RANSOMWARE	Sandbox Behavior

Recommendations

Make sure to always use the latest pattern available to detect old and new variants of CRYPSPORT Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Rating:

Category:

Remove a Malware / Virus

Solution Id:

000155798

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

Need More Help?

CRYPSPORT Ransomware Information

Capabilities

Infection Chain

Infection Routine