Also known as: CrySiS, Dharma, Ransom.Crysis, Win32:Malware-gen, Dropped:Generic.Ransom.Crysis.A6C1BB89, Win32/Filecoder.Crysis.H, HEUR:Trojan.Win32.Generic, Ransom:Win32/Troldesh.C
Category: Malware
Type: Ransomware, crypto virus, files locker
Platform: Windows
Variants:.wallet, .arena, .cobra, .java, .arrow, .cmb, .gamma, .brrr, .btc, .onion, .xtbl, .xwx, .viper1, .write, .bip, .taurus, .monro, .phobos, .adobe, .aes256, .combo, .bkp, .shadow, .djvu
Damage potential: Data theft, data loss, money extortion, compromised system functions
Overview
Crysis ransomware and its variants — active since 2016 — usually infiltrate systems through exposed Remote Desktop Protocol (RDP) ports. Once Crysis gains access, it installs itself onto the system, scans for specific file extensions (documents, images, and databases), encrypts them, and demands a ransom.
Possible symptoms
- Personal or system files inaccessible and appended with a strange extension
- A ransom note (e.g., “HOW_TO_RECOVER_FILES.txt”) present on the system (for example, on the desktop)
- Slow system performance
- Unusual network traffic
- Unidentified processes in the Task Manager
Sources of the infection
- Exposed RDP. Attackers usually use exposed RDP connections to inject Crysis onto the victim’s system.
- Malicious emails. Infected attachments or links in emails distribute malware, including ransomware like Crysis.
- Exploit kits. Attackers can exploit your operating system or software vulnerabilities to deliver the ransomware payload.
- Malicious downloads. You may download the malware yourself, bundled with legitimate software.
Protection
- Backups. Keep a backup of your essential data — and store it offline or in a secure cloud. After launching, Crysis automatically deletes all the restore points on your computer, so the locally stored backup will be corrupted.
- Secure RDP. Disable RDP if you’re not using it.
- Online security basics. Regularly update all software, use strong passwords, and employ 2FA when possible.
- Antivirus. Use reliable security solutions that block ransomware.
- Use NordVPN’s Threat Protection Pro. It scans your downloads and blocks them if they’re malicious. Threat Protection Pro also alerts you if you’re about to enter a known infected website.
Removal
- Isolate. Disconnect infected systems from the network to prevent Crysis from spreading.
- Remove and restore. Get reputable anti-malware tools to remove Crysis and restore your files from the backup. Try the special Crisis decryptor — Rakhni Decrypter.
- Clean install. If nothing else works, wipe the system and perform a clean OS installation.
Note: Do not pay the ransom. There's no guarantee of getting your files back — and by paying the attackers, you will support the cybercriminal industry.