New Cobra Crysis Ransomware Variant Released
A new variant of the Crysis ransomware, known as Cobra, has appeared that uses an encryption method that renders files unrecoverable.
Cobra Ransomware is mainly distributed through spam email attachments, peer-to-peer sharing of network, freeware and shareware downloads, via exploit kits, visiting suspicious sites etc.
Previously, Crysis was delivered by Remote Desktop Protocol (RDP) brute-force attack, although it is unclear how this new variant is being distributed. Once installed Cobra scans for data files on local drives, mapped network drives and unmapped network shares before encrypting them. It will then seek to delete all backups and shadow volume copies.
Once the ransomware is tricked into a system, it will check a PC for data files and encrypt them. While encoding a record, it will attach an extension in the arrangement of .id-[id].[email].cobra. For instance, a record called test.jpg would be encoded and renamed to test.jpg.id-BCBEF350.[[email protected]].cobra.
It is not possible to decrypt .cobra files at present, with the only way to restore files being a separate backup.
Resolution
As with all forms of zero-day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.
To avoid becoming infected with ransomware, ensure that:
- A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
- All operating systems, antivirus and other security products are kept up to date.
- All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
To limit the damage of ransomware and enable recovery:
All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.
Multiple backups should be created including at least one off-network backup (e.g. to tape).
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.