Cry Tekk, Ransomware + Phishing Alert

Leila Sharma

A new ransomware variant dubbed Cry Tekk uses a phishing tactic in it’s ransom note, which allows users to bypass bitcoin payment and pay the ransom of $40 via a “Buy Now” option. The “Buy Now” option appears in a PayPal window and when users click it they are taken to purported PayPal dialog, which is a phishing page designed to steal payment information as follows:

Screenshoot of a spoofed PayPal dialog requesting a credit card confirmation for more security

Image courtesy of MalwareHunterTeam

Further, the next dialog requests the victim’s personally identifiable information (PII) as a PayPal confirmation as follows:

Screenshot of a spoofed PayPal dialog requesting a confirmation of personal information including name, DOB, address and phone number

Image courtesy of MalwareHunterTeam

Finally, the victim will receive a fake confirmation alerting them that their PayPal account has been fully restored, although the need for Paypal account restoration was not at issue. At this point, malicious actors have stolen both payment card and PII and the victim is directed to the legitimate PayPal login page, where s/he can pay the requested ransom.

There are few details available at this time about how Cry Tekk ransomware is delivered, but please be alerted to this “threat within a threat” scheme as victims anxious to receive a decryption key may not be scrutinizing payment options and the URLs associated with the payment pages to their own detriment.

Please be reminded of the following:

  • Ransom payment does not guarantee the receipt of a decryption key.
  • The appearance of a ransom message on your device does not necessarily mean you’ve been infected with ransomware. The message may be a lie in an attempt to extort payment. The telltale sign of ransomware is encryption of files and replacement of file extensions. 
  • If you suspect your device has been infected with ransomware (e.g., you notice some of the file extensions of your documents have changed), immediately disconnect from the network and any other connected systems, such as cloud accounts and mounted systems, such as flash drives.
  • Alert your local IT Admin and the NYU IT Service Desk of the issue.
  • The best way to recover from ransomware is via a wipe of the device at issue and a restoration from back-ups. Before restoring from back-ups, confirm that ransomware did not spread to any mounted devices or connected systems.

Resources: