Ransomware strains that targeted the CIS for 2021

Ransomware CIS 2021 BigBobRoss CryptConsole Cryakl Phobos CrySIS

This year has been challenging for businesses, especially with the pandemic outbreak. Several threat actors have taken advantage of executing cyberattacks against organizations worldwide, ransomware being the most common type. System of government such as the Commonwealth of Independent States (CIS) also failed to avoid such unfortunate occurrences of attacks for this year.  


Businesses that operate inside the CIS have been the targets of non-prevalent ransomware threat groups. 


Described below is the overview of five ransomware strains that targeted organizations within the CIS for this year, 2021. 


The BigBobRoss

The BigBobRoss malware began its activities in 2018 and still is active as of today. It is mainly distributed via cracking of Remote Desktop Protocol or RDP passwords. This ransomware will show the operator technical information upon being launched and the key for subsequent file decryption. 

Once encrypted, the folders’ contents will contain the email addresses of cybercriminals, and the IDs of the victims will be shown at the beginning of each file. The original name, extension, and the extension added by the ransomware will also follow. There will also be notes added to each folder that contains the details of the threat actor. 

The program used for encryption will be the AES symmetric algorithm with a 128-bit key in ECB mode from the CryptoPP cryptographic library. 


The CrySIS aka Dharma

CrySIS ransomware began in 2016 and remains active today. It is distributed via a Ransomware-as-a-Service (RaaS) affiliate program and is written in /C ++ while compiled in MS Visual Studio. 

With the use of the AES-256 algorithm in CBC mode, this malware can encrypt files. Once launched, it can produce a 256-bit AES key encrypted using the RSA-1024 algorithm, along with the threat actor’s public key enclosed in the Trojan’s body. Each file will be encrypted with the mentioned AES key and a newly generated 128-bit initialization vector (IV). 

CrySIS’s usual mode of attack is through an unauthorized RDP access wherein credentials are cracked via brute force and then remotely connected to the victim’s device. The Trojan will then be operated manually. 


The Phobos

Being around since 2017, the Phobos ransomware could be similar to CrySIS ransomware in some ways. This ransomware is also disseminated via a RaaS affiliate program, and its usual attack mode is through unauthorized RDP access. 

Like CrySIS, this ransomware is also written in C/C++ and collected in MS Visual Studio. The AES-256-CBC algorithm is applied for file encryption, while the RSA-1024 public key in the malware’s body is used to encrypt the AES key. 


The Cryakl

This ransomware’s first version was found in April 2014, making it the oldest ransomware in this overview. The Cryakl ransomware is also distributed via an affiliate program and uses RDP as its most common attack mode. It supports a graphical interface, and the threat actor manually configures the settings through the program window. This ransomware is written in Delphi and uses a custom symmetric cipher to encrypt the victim’s files while uses the RSA algorithm in encrypting the key. 


The CryptConsole

The CyrptConsole Ransomware is reported to still be active until today. This ransomware is written in C# and employs .NET libraries for encryption. Like the other ransomware in this overview, cracking the RDP password is how this ransomware is distributed. Two key and IV pairs are generated for this ransomware’s encryption written to a text file.  

The threat actor will run the ransomware after gaining access to the RDP. They will then save the file for themselves and will delete it from the victim’s computer. With the use of symmetric AES algorithm, the encryption of the ransomware will be performed.  



Many threats that exist in the CIS are reported to still be active in development. Some have shut down only to reappear with an enhanced way of attacking. 

The most common vector of malware distributions against the CIS is through penetrating the RDP of the victims’ network. Security researchers advise affected victims to create strong password combinations for domain accounts and regularly modify these passwords. Blocking the RDP access from the internet is also highly recommended. And in connecting to corporate networks, using VPN is a good technique. 

About the author


Leave a Reply