Possible new Criakl Ransomware variant spreading

Der.Reisende

Level 45
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
"It looks like we have a new Ransomware spreading as a nice Christmas Present. This is being identified as Criakl by Anyrun , but if it is criakl, then it is a new version . Criakl was around in 2014 and has been seen sporadically since then, but hasn’t been an extremely active or well spread ransomware previously, particularly in the UK.

I received 2 different emails overnight containing this ransomware both very similar and written in bad English or machine translated from a foreign language. These emails all come from admin[at]floraman.ru and pass all authentication checks SPF & DKIM so are likely to be delivered to the recipient.

One had a zip attachment containing a macro enabled word doc. The second was a .rar with a .exe inside it. The word doc contacts a remote site & downloads a .exe file which is identical to the exe file inside the .rar. The word doc uses macros on close, so a victim doesn’t realise anything is happening until after they close word.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

Prise list.zip extracts to Prise list.doc

[...]

This encrypts almost everything on the computer including it appears its own dropper

The encrypted files get renamed to email-biger[at]x-mail.pro.ver-CL 1.5.1.0.id-2094653670-9835384014918344629827.fname-Prise list.doc.doubleoffset

The ransom text which is in every folder as well as a displayed version on desktop asks you to email the criminal to get decrypted

Your files was encrypted! To decrypt write us​
biger[at]x-mail.pro​
biger[at]x-mail.pro​
biger[at]x-mail.pro​
(edited for security reasons)
[...]"

More information on the format of the mail spam to be found on the source.



===========================================================
Good news:
I checked the payload link, and it was down by the time of check.

Malware Vault link: https://malwaretips.com/threads/criakl-ransomware-24-12-2018.88838/
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top