CryFile - From 0-Day to detection in 48 hours

CUSTOMER ADVISORY WARNING: A new variant of CryFile ransomware.

What is known?

Why it matters?

  • enSilo detects and stops a zero-day ransomware from encrypting files.

How we do it?

  • Post-infection protection is required to block zero-day threats in real time, post-infection protection technologies are required to block a potential threat that could have an effect like WannaCry.

Top concern?

  • Known Anti-Virus companies have impressive results, nonetheless attacks CCleaner, NotPetya and WannaCry bypassed numerous traditional malware detection technologies and after a day nearly all Anti-Virus products adapted enabling detection. Timing is everything and anti-virus products are a day behind, risking entire organizations of not detecting widespread attacks of damaging organizations.

Learn about enSilo’s endpoint protection solution.

Sign Up for a Demo Today

Here is the proof: VirusTotal and our data


During the time of detection, the ransomware had 0-day detection rate in VirusTotal.
Figure 1.png

Figure 1: 11.17.2017 – VirusTotal 0-day Detection Rate

The detection rate of this malware is still fairly low five days after this ransomware was first seen by VirusTotal:

Figure 2.png

Figure 2: 11.20.2017 – VirusTotal Low Detection Rate

Technical analysis of cryfile:


The CryFile ransomware binary file contains the following static characteristics:

Filename: fdbe.exe
SHA256 Hash: 2cc830c530ae1c03d9c4a8ffb74aa39d4393f524177edb0166125d88d795e3be
File size: 23552 bytes
File Compile Time: 2017-09-20 12:54:20

On execution: CryFile ransomware does two main things:

1) The CryFile ransomware encrypts some of the files on the affected system.
2)  Fills the affected system drive completely.

The CryFile ransomware encrypts some of the files on the affected system. The file types that the ransomware encrypts are:

1cd, 7z, accdb, backup, cd, cdr, dbf, doc, docx, dwg, jpeg, jpg, mdb, odr, pdf, psd, rar, rtf, sqlite, tiff, txt, xlsx, xls, zip, dt, ert, pst, mdf, ldf

The files that are encrypted are then renamed in the following format:

Figure 3.png

Figure 3: In some directories an encrypted file is created with a folder named .corrupt

This folder contains the files that the ransomware didn’t fully encrypt. In addition, a file named DECRYPTKEY is created under the path C:\exportKey. This file contains the generated key (AES key) wrapped by the public key that is used to encrypt the files.

Figure 4.png

Figure 4: Hardcoded RSA Public key -This public key is hardcoded and used in the encryption process.

RSA Public Key value:

<-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAJ/pgAk5IFg+97WOlgPOr7D77xhWgBMj9gKL9EplpCT6XZl+hRCDSqtit+TN6g5r+p3lUuNNO8cSdDBeeUNcx+j69KDGixTEM5lcxMGokY5WK/krZAG+TwDXCLiTy26j/s5bJrb0e9x9q9STdhdpXZgV7xXqyxpmM1xVaYN2Oo2RfAgMBAAE=-----END RSA PUBLIC KEY----->

Encryption Begins:

  • Encrypting 16 bytes each time:
  • The ransomware does at most 0x32 encryption iterations
  • 32 bytes on the last encryption. 32 bytes are encrypted, but only 16 bytes are written to the file


Furthermore, the encryption process uses the rand function which gives a random number. This random number is used to decide how many bytes are written to the file. That means that some files can’t be decrypted.

Screen Shot 2017-11-22 at 08.32.56.png

Figure 5: The encryption process fills the affected system drive completely.

The CryFile ransomware creates a file called Fill0 under the path C:\fill and fills it with data until the drive is almost full.

Figure 6.png

Figure 6: Indicates how the C: volume was filled after the execution of this ransomware

Figure 7.png

Figure 7: Huge file - C:\fill\fill0 - identifies the large size of this file

enSilo Post-Infection Platform in Action

The CryFile ransomware sample was executed in a controlled environment protected by enSilo platform.


Figure 8: enSilo detected and blocked the CryFile ransomware activity and stopped the file encryption

The enSilo file encryptor rule detected that a binary file named crss.exe (the CryFile ransomware) attempted to encrypt a file called ReadMe.txt on the affected system. The enSilo post-infection platform blocked CryFile’s encryption process from occurring on the affected system in real-time and not a single file was encrypted.


This blog post demystified traditional AV vendors respond fast when a threat is detected in the wild, in this case around 48 hours after the initial detection many vendors already identified this sample as malicious. However, in order to block 0-day threats in real-time, post-infection protection technologies are required.

Endpoint protection is what enSilo does.

Sign Up for a Demo Today

Related Blog Posts