“CRY” Ransomware converts the files in .PNG & Uploads to Free Image Uploading sites

A new Ransomware Crylocker using legitimate services like Google Maps, Pastee and Imgur.


Recently a brand new ransomware is discovered by the MalwareHunter team that known by Crylocker. This ransomware is spotted by the researchers in end of the August 2016. Cry ransomware uses UDP instead of TCP and communicates using the legitimates websites services of Google maps, Pastee and Imgur. Researchers also noticed that Crylocker infect users and locked numerous types of files and after that in doesn’t send this data to the remote cyber hackers but it converts all files as a PNG files and later uploaded to the websites like Imgur and other sites.

Crylocker Ransomware Spreads like plague

The victim’s of Cry Ransomware crosses over 10 thousand mark and it still going on . According to the discover of Trend Micro Researchers “PNG is valid file header, if it doesn’t contain an image but it contain the system information in ASCII code”. According to the MalwareHunter experts they didn’t found any victim’s from UK and US. Trend Micro says this ransomware avoids to decode some languages like Kazakh, Belorussian, Uzbek and Ukrainian.

png header

Crylocker Ransomware proliferate via exploit packs

Crylocker uses the name of Central Security Treatment Organization Ransomware name in the very early stage. It changed in released versions after September 5, and  it also start using RIG exploit instead of The Sundown exploit pack.

It uses the name  central security treatment organization for the Tor based payment websites. When it sends ransom notes to the infected user’s system this ransomware changes the desktop but it leaves ransom notes in .txt and .html formats.

Cry Ransomware awe victim’s to show their location on Google map

This ransomware creators extort 1.1 Bitcoin to the decryption key for the users file. This ransomware collects users information from web and show their location on Google map to threaten the victim.

After infection of this ransomware all your files locked by .cry file extension and there is not any free decryptor tool available on the Internet that allow the victim to recover their lost files for free. You can not recover via shadow volume copies because it deletes them after encryption. It totally different from ransomware because first it encrypts and then it delete the original source files.