CRYPSPORT Ransomware Information

Product / Version includes:

Deep Discovery Email Inspector3.5 , OfficeScanXG , Apex One2019 , InterScan Messaging Security Suite9.1 , Worry-Free Business Security Standard10.0 , ScanMail for Exchange14.0 , Interscan Messaging Security Virtual Appliance8.5 , Deep Discovery Inspector5.5 , Deep Security12.0 , Interscan Web Security Virtual Appliance6.5

Last updated: 2021/10/10

Solution ID: KA-0010070

Category: Remove a Malware / Virus

Summary

The CRYPSPORT ransomware appears to be targeted at corporations rather than individual users and may possibly be leveraging networks that have already been compromised. Information about this ransomware is limited at this time. However, this article will be updated as more becomes available.

Capabilities

File Encryption

Infection Chain

Infection Routine

Target Extension:

It encrypts all files in the system as well as files found on the following drives:
- Fixed Drives
- Removable Drives
- Network Drives
It avoids encrypting the following file types:
- .arp
- .exe
- .dll
- .sys
- .vxd
- .ini
- .lnk
- .msi
- .cab
It avoids encrypting files found in the following folders:
- windows
- microsoft
- trend
- edr
- kaspersky
- app
- mcafee
- office
- google
- netlogon
It drops the following files as a ransomnote:
- {all encrypted path}\ReadMeAndContact.txt

Ransomnote:

Ransomnote

File Reputation

Detection Name	Pattern branch/version
Ransom.Win32.CRYPSPORT.A Ransom.Win32.CRYPSPORT.B Ransom.Win32.CRYPSPORT.C Ransom.Win32.CRYPSPORT.B.note Ransom.Win32.CRYPSPORT.A.SM – One to Many detection	ENT OPR 15.505.00

Predictive Machine Learning

Detection Name	Pattern branch/version
Rapid Proliferation	In-the-cloud

Rapid Proliferation is a mechanism to detect suspicious files that exceed the threshold by attaching the "Bad Rating" to the suspicious sample.

Behavior Monitoring

Policy ID	Pattern branch/version
RAN4056T – Generic DEL Shadow Copy commands Supported by ADC (Access Document Control)	BM OPR 1.907

Sandbox Solution

Detection Name	Pattern branch/version
VAN_RANSOMWARE	Sandbox Behavior

Recommendations

Make sure to always use the latest pattern available to detect old and new variants of CRYPSPORT Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

CRYPSPORT Ransomware Information

CRYPSPORT Ransomware Information

Product / Version includes:

Summary

Capabilities

Infection Chain

Infection Routine