A new strain of ransomware called “Cry” encrypts data with its .cryextension. It harvests your location data from Google Maps and pasting it as an image onto imgur.com.
A lot of ransomware variants simply send the victim’s information directly to the attacker’s Command and Control (C&C) servers. Cry, however, uses Portable Network Graphic (PNG) image files to document the victim’s information. This can include the location and the list of encrypted files. Then it uploads the picture directly to an album within public image sharing sites like Imgur.
Security researchers say that one of the reasons hackers are using these tactics is to hide their location and identities. It is another step in their smoke-and-mirrors strategy in case they have to change their C&C IP addresses. A PNG file containing the victim’s information is uploaded to an Imgur account each time a new victim is infected. This image gets a unique file name and is broadcast to the 4096 IP addresses it uses (hidden among these IPs is the real C&C server). This way a record of the victim will always be accessible.
If the Imgur upload fails, Cry will attempt to post the information to pastee.org instead. Ultimately, if both the Imgur and pastee.org uploads fail, the information is just relayed directly to the same 4096 IP addresses using UDP port 4444. Researchers say that they chose the UDP protocol to further hide the C&C server’s real address. Other user information said to be gathered by Cry include the Wi-Fi Access Point used by the target machine, the keyboard layout and also the system’s language.
Not all languages are affected.
Interestingly, Cry does not activate if it detects the following languages: Russian, Kazakh, Belorussian, Sakha, Ukrainian and Uzbek. This highly suggests that Cry originates from Russia or another country from the Commonwealth of Independent States. We know that some of the biggest hackers come from Russia because we’ve caught some of them.
To protect your website against ransomware, we recommend software security products like those offered by Trust Guard, the leader in website security and verification. If your website has an instance of Google Maps on your website, hackers won’t be able to access it. Trust Guard can monitor your site for ransomware and 75,000 vulnerabilities used by hackers to access your website.
Special thanks to Komando.com for much of the information found in this article.