Files are locked using the dual AES+RSA encryption scheme, also seen in many other top-shelf ransomware families. An AES key is used to lock the files, and the AES key and IV are then encrypted with an RSA public key. The ransomware’s C&C server holds the private RSA key that allows crooks to unlock the user’s files.
Crypton only searches and encrypts the following files.
.xlsx, .cdr, .xls, .vsd, .docx, .doc, .jpg, .pdf, .xml, .dat, .psd, .cd, .txt, .tbb, tbn, .db, .dbx, .pst, .ppt, .pptx, .png, .tiff, .rtf, .htm, .html, .mht, .zip, .rar, .7z, .dbf, .mdb
When it locks a file, Crypton will append “_crypt” at the end of each file name, leaving the original file extension intact, as such: image.png —> image_crypt.png.
Ever since the ransomware takes root on a system, it constantly pings its C&C server. When the encryption process ends, the ransomware flips the “isDone” flag to true, notifying the crooks that its job has been done.
At the time of writing, the C&C server is down. Over the last two days, accessing the server URL yielded an image and quote from Oscar Wilde. This message is now gone, and the URL serves a 404 page.
Once the encryption ends, the ransomware shows the following ransom note, either in English or Russian, depending on the user’s PC language. In the versions recently observed, Crypton asked for ransoms ranging from 0.2 to 2 Bitcoin payment, which is in the $150 – $1,500 range.
Additionally, the following text, in both English and Russia, is dropped via text files on the victim’s PC.
At the time of writing, there’s no known method for recovering files locked by Cryption. For assistance with a Crypton infection, please feel free to contact Bleeping Computer experts through our ransomware support forum.
During its installation, Crypton will alter the Windows Registry to gain boot persistence.