Breach Monitoring News Feed

CryLock is a ransomware variant that emerged around April 2020, evolving from the Cryakl (Fantomas) ransomware family. It follows a semi-affiliate model, offering customizable options for partners—such as variable encryption routines, network scanning for lateral movement, shadow copy deletion, and process termination—and flexible delivery methods. During encryption, CryLock renames files to include the developer email, a unique victim ID, and a randomized three-letter extension. Victims typically encounter a countdown timer in a pop-up ransom message that warns about escalating ransom costs and potential loss of decryption capabilities.

Crynox (sometimes referred to as “Crynox Ransomware”) appears to be a generic file-locker threat that appends .crynox to encrypted files and drops a ransom note (read_it.txt) instructing victims to contact crynoxWARE@proton.me. It seems to use RSA-4096 and AES for encryption and may change desktop wallpaper, but there's no evidence of double-extortion or leak site operation. Distribution methods cited include phishing, pirated software, and malicious websites.

.crYpt MD5: 54EFAC23D7B524D56BEDBCE887E11849 Babuk Variant

CryptedPay is a standalone ransomware strain observed around early 2025, that encrypts files using AES-256 and appends the .CRYPTEDPAY extension. Victims receive a ransom note (README.txt), have their desktop wallpaper changed, and are instructed to pay approximately $280 in Monero (XMR). The ransomware imposes a 62-hour deadline, threatening permanent file loss if not paid.

CryptNet is a newer Ransomware-as-a-Service (RaaS) operation first identified in April 2023. It follows a double-extortion model, performing data exfiltration before encrypting files. Written in .NET and obfuscated with .NET Reactor, CryptNet utilizes AES-256 (CBC) and RSA-2048 encryption. Its codebase shares strong similarities with Chaos and Yashma ransomware families.

aka Public Data Storage Crypto24 emerged in early 2025 as a fast-growing double-extortion ransomware-as-a-service (RaaS) group. It targets organizations across industries such as financial services, healthcare, logistics, and technology, with notable victims in Malaysia, Colombia, Egypt, and India. The group executes rapid infiltration—often leveraging stolen credentials—encrypts files (appending the .crypto24 extension), and exfiltrates significant volumes of data (e.g., 2 TB from Vietnam’s CMC Group). Affiliate-oriented operations are indicated by their presence on RAMP forums, suggesting professional recruitment and offering free decryption for small file samples to entice victims.

CryptXXX is a ransomware strain that first appeared in April 2016, developed by the same group behind the Reveton and Angler Exploit Kit operations. It uses a single-extortion model, encrypting victim files with RSA-4096 and AES-256 encryption, appending the .crypt or .crypt1 extensions in early versions, and later variants dropping different extensions. Distribution was largely via the Angler and Neutrino exploit kits, targeting unpatched browsers, plugins, and malicious email attachments. CryptXXX also included credential theft capabilities, harvesting from browsers and FTP clients, and in some variants, a file-stealing module. Notable campaigns affected victims globally, with a strong concentration in North America and Europe. Operations were disrupted in mid-2016 when security researchers from Kaspersky Lab released decryption tools, forcing the group to release updated, harder-to-crack versions.

Crysis ransomware was first identified in early 2016 and is a long-running family that later evolved into the Dharma ransomware line. It follows a Ransomware-as-a-Service (RaaS) model, allowing affiliates to customize email addresses, extensions, and ransom notes. Crysis primarily spreads via malicious email attachments, remote desktop protocol (RDP) brute-force attacks, and software cracks. It uses strong hybrid encryption—AES for file content and RSA for key protection—and appends various extensions such as .crySis, .wallet, or attacker-specified tags. It also deletes shadow copies to hinder recovery. Over the years, it has targeted businesses and individuals worldwide, with notable prevalence in healthcare, manufacturing, and professional services sectors. In 2017, law enforcement released master decryption keys through the NoMoreRansom project, enabling recovery for earlier versions, though newer builds remain active in the wild.

Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for encryption and appends obfuscated filenames with a random 10-character alphanumeric identifier while preserving the original file extension. In its current testing phase, it drops a ransom note with a randomized filename (e.g. ABCDEF-README.txt) and sets a randomly named image file as the desktop wallpaper. The note references a Tor-based extortion portal—though access is not yet active, indicating the operation’s early development stage. The strategy suggests single-extortion behavior, focused on disrupting access rather than data theft or leak threats.

aka Critroni CTB‑Locker emerged in mid‑2014, introducing a new era of ransomware by leveraging elliptic curve cryptography (ECC), Tor-based C&C communication, and Bitcoin payments—earning its name from “Curve-Tor-Bitcoin Locker.” It was packaged and sold as a ransomware kit for approximately $1,500–$3,000, allowing affiliates to deploy customized campaigns. The malware encrypts user data (including network and removable drives), changes desktop wallpapers, and appends file extensions like .CTBL, .CTB2, or randomized strings. Victims receive instructions for payment, typically within a limited timeframe, or risk permanent data loss. In 2015–2017, law enforcement and cybersecurity firms (including McAfee and Kaspersky) disrupted the network, arrested operators, and facilitated decryption tools.