Bleeping Computer researchers have uncovered a new ransomware known as CSTO or Cry named after the fictional organization Central Security Treatment Organization. The threat has some advanced features that are not common among ransomware such as tracking the victim location via Google Maps.
CSTO Communicates to the C&C Servers via UDP
The CSTO ransomware does not stand out among other malware threats regarding distribution. Spam email messages and malicious links are the typical hiding places for CSTO. Upon infection, the user files are encrypted and renamed with the .cry extension. Like the famous Cerber type CSTO sends commands to the remote C&C servers via the UDP protocol.
The code includes information collection that scans the compromised system for the data regarding the version of the operating system, usernames, computer name and CPU model. The information is sent to 4096 IP addresses however only one of them is the actual C&C server, while the others are placed for masking purposes.
CSTO requests the sum of 1.1 Bitcoins to decrypt the victim files. However one of the key features in blackmailing the system owners into paying the money is that CSTO utilizes a key feature – victim tracking. This is done by querying the Google Maps API to discover the system’s location by using SSID tracking. Web sites such as Imgur and Pastee are used to host the information.
As other ransomware, the developers have included code that deletes the Shadow Volume Copies on the victim system to reduce the chance of file recovery. A randomly named scheduled task is created in the Windows configuration that runs every time a user logs on. The ransom note is placed on the desktop of the computer. Like other types of ransomware, the instructions include accessing the Tor network for anonymity.
So far all publicly available free decryption tools have failed to recover files compromised by the CSTO ransomware.