A new strain of ransomware has arisen in Canada, targeting Android users and locking up personal photos and videos.
Called CryCryptor, it has initially been spotted pretending to be the official COVID-19 tracing app provided by Health Canada. It’s propagating via two different bogus websites that pretend to be official, according to ESET researchers – one called tracershield[dot]ca.
Like other ransomware families, it encrypts targeted files. But, instead of simply locking the device, CryCryptor leaves a “readme” file with the attacker’s email in every directory.
When someone launches the malicious app, it requests access to files on the device. After that, selected files are encrypted using AES with a randomly generated 16-character key.
“After CryCryptor encrypts a file, three new files are created, and the original file is removed,” according to ESET. “The encrypted file has the file extension .enc appended, and the algorithm generates a salt unique for every encrypted file, stored with the extension .enc.salt; and an initialization vector, .enc.iv.”
Interestingly, targeted files include photos and videos. “It is interesting to see that this attack included file type extensions such as .jpg, .png and .avi along with document types as well,” Erich Kron, security awareness advocate at KnowBe4, said via email. “By encrypting photos and videos on the external storage on the phone as opposed to simple documents, the attackers are making it personal and attempting to improve their odds of payment. People tend to keep a lot of personal photos on their devices, which makes them a prime target.”
