cris

[Content by Gemini 2.5]

Ransomware Deep-Dive: “Cris” (a.k.a. “CrySiS”, a.k.a. “Dharma”)

Expert reference compiled for defenders who need immediate clarity and step-by-step guidance.

1. Technical Breakdown

| Attribute | Cris / CrySiS / Dharma Behavior |
|—————————————–|————————————-|
| File Extension | .cris (historical); later incarnations append .dharma, .cezar, .arrow, .bip, .combo, .adobe, .{unique-id}.cris, etc. Always look for a double extension pattern: filename.ext.id-[XXXXXXXX].[[attacker-e-mail]].cris |
| Renaming Convention | OrginalFile.doc → OrginalFile.doc.id-314BC321.[[[email protected]]].cris |
| Approx. Start Date | 1st spotted June 2016. Wave of .cris-specific infections peaked Q4-2016. Re-emerged repeatedly, tied to Dharma forks, through 2023. |
| Primary Attack Vectors | 1. RDP brute-force / credential stuffing (port 3389, exposed 0-days, weak passwords).
2. Phishing emails with macro-laced .7z, .iso, .exe attachments mimicking invoices/tickets.
3. Exploitation of outdated Java RMI, JBoss, MS-SQL, and CVE-2018-8174 (IE VBScript engine).
4. Supply-chain installers (software cracks, keygens, KMS pico).
5. Legitimate tools laterally abused: PsExec, TeamViewer, AnyDesk. |

2. Remediation & Recovery Strategies

A. Critical Prevention First

  1. Disable RDP from Internet – block port 3389 at perimeter; require VPN + MFA.
  2. Enforce Complex Password / Account Lockout – 25–40-character or pass-phrases; enable Account Lockout Policy: 5 failed attempts = 30 min lock.
  3. Patch OS and Critical Apps – especially Adobe, Java, MS17-010 (EternalBlue patch).
  4. Application Control (AppLocker / WDAC / Allow-listing) – block anything not signed from trusted publisher.
  5. E-mail Filtering & User Awareness – block .7z, .vbs, .js, .exe, .iso; sandbox attachments; train staff with phishing simulations.
  6. Offline, Immutable Backups – 3-2-1 rule; Veeam immutability or AWS S3 Object Lock; test restores bi-monthly.

B. Infection Cleanup Workflow

(Works for Windows 7/10/11, Server 2012-2022)

  1. Isolate – yank Ethernet/disable Wi-Fi; power off VMs with snapshots; block firewall VLAN.
  2. Boot to Safe Mode w/ Networking (or WinRE → Startup Repair → Command Prompt).
  3. Take Memory/Forensic Image (for SOC / IR team).
  4. Malware Removal
  • Run Malwarebytes Endpoint, ESET Online Scanner, Kaspersky Virus Removal Tool in Safe Mode.
  • Delete persistence artefacts:

    C:\Users\[username]\AppData\Roaming\Oracle\Java\*
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ “SysWin,” “mstask.exe,” etc.
  1. Verify Integrity & Telemetry
  • Compare clean base-line States (System Center Configuration Manager/Desired State Configuration).
  • Check Windows Logs (Security, System, Application → source “TerminalServices-RemoteConnectionManager”).

C. File Decryption & Recovery

| Paid Decryption | Availability / Status |
|———————|—————————|
| Free decrypter released by ESET & CERT-PL Jan-2017 (victim keys leaked).
However: only worked for original 2016 CrySiS master keys.
Newer Dharma forks use unique RSA keypairs → irrecoverable without attacker’s private key. |
| Recommendations | – Check your version with ID-Ransomware (https://id-ransomware.malwarehunterteam.com).
Do not pay—correlation studies show 17 % of paying victims never receive the decryptor; law enforcement sees >50 % double-extortion.
– If the free tool does not recognize the sample, proceed to offline restore from last known-good backup. |

D. Essential Tools & Patches

| Tool / Patch | Recom. Download Link | Use Case |
|————————————-|—————————————————-|———————————————–|
| ESET CrySiS Decryptor (v1.0.0.2) | https://support.eset.com/en/kb3306 | Check historical .cris/.dharma samples |
| Kaspersky“RakhniDecryptor” | https://support.kaspersky.com/downloads/utils | Alternate legacy tool |
| Microsoft EMET / Windows Defender Exploit Guard | Built-in on Win 10+ | Blocks process injection vectors |
| CrowdStrike-IOC script (.cmd) | CrowdStrike GitHub | Hunt for CrySiS LOLBins |
| Microsoft Security Baselines | https://techcommunity.microsoft.com/ | Hardened Group Policy objects |
| PingCastle / BloodHound | https://pingcastle.com | Identity tier vulnerability scan |

E. Other Critical Information

  1. Multi-thread scan speed: CrySiS encrypts files alphabetically per logical drive. Interrupting System32 to Users reduces data loss if spotted early.
  2. Double-Extortion Pivot: Newer Dharma strains exfiltrate data via MEGAsync.exe or PuTTY SCP to pCloud/MEGA before encryption—assume breach.
  3. Lateral Logic: Ever-present PsExec.exe renamed “svhost.exe” placed in SysWOW64 used for propagation across LADP.
  4. Bitcoin Address Rotation: Attackers change wallet per campaign; average ransom between 0.5–5 BTC (~USD 300–290k).
  5. Indicators (IOCs) 
   Mutex: “Global\msa<random>”  
   Registry: HKLM\SOFTWARE\Wow6432Node\Locky  
   File Hashes (sample 2016-11-29): SHA-256
   3b2b36b5f3ffec4e0b2f00c8eac3bf0e11f7cb0500840c12c16d393e0b21f7cb

(Current samples change, use VT/OTX for up-to-date hash-set).

Key takeaway: Cris (CrySiS/Dharma) = Obsolete encryption for 2016, but its successor variants still drive millions in damage today. Your single strongest control: remove Internet-facing RDP and invest in offsite immutable backups.

Share this card liberally—when every endpoint is hardened and every admin has access to a bootable offline backup queue, this family becomes irrelevant.