The Return of Fantomas, or How We Deciphered Cryakl
(Jul 17, 2018)
Belgian police were able to take control of the Command and Control (C2) servers of the “Cryakl” ransomware in February 2018 and subsequently gave Kaspersky Lab researchers the private keys. The researchers used the keys to update the “RakhniDecryptor” tool to assist individuals who have been affected by the malware. Cryakl has been active since at least 2014 and is distributed via emails with malicious attachments. Identified malicious attachments observed to be used to distribute Cryakl include the following: JS script loading a trojan, Office document with a malicious macro, and a PDF document with a link to an executable.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox, to avoid potential malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.