{
	"id": "bd6804ba-13d2-4d3e-a1d3-1d836cbff5a0",
	"created_at": "2026-04-06T00:20:54.807445Z",
	"updated_at": "2026-04-10T03:20:24.812134Z",
	"deleted_at": null,
	"sha1_hash": "3bdf974e29fa033c099951915d1c0681a9cc6420",
	"title": "The return of Fantomas, or how we deciphered Cryakl",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1463326,
	"plain_text": "The return of Fantomas, or how we deciphered Cryakl\r\nBy Kaspersky\r\nPublished: 2018-07-17 · Archived: 2026-04-05 22:19:45 UTC\r\nIn early February this year, Belgian police seized the C\u0026C servers of the infamous Cryakl cryptor. Soon\r\nafterwards, they handed over the private keys to our experts, who used them to update the free RakhniDecryptor\r\ntool for recovering files encrypted by the malware. The ransomware, which for years had raged across Russia (and\r\nelsewhere through partners), was finally stopped.\r\nFor Kaspersky Lab, this victory was the culmination of more than three years of monitoring Cryakl and studying\r\nits various modifications — a major effort that eventually defeated the cybercriminals. This story clearly\r\nillustrates how cooperation can, in the end, get the better of any crooked scheme.\r\nThis spring marked the fourth anniversary of the malware’s first attacks. Against the backdrop of a general decline\r\nin ransomware activity (see our report), we decided to return to the topic of Cryakl and tell in detail about how\r\none of the most eye-catching members of this endangered species evolved.\r\nPropagation methods\r\nWe first encountered Cryakl (without knowing what it was exactly) in the spring of 2014. The malware had just\r\nbegun to spread actively, mainly through spam mailings. Initially, attachments with the malware were found in\r\nemails allegedly from the Supreme Arbitration Court of the Russian Federation in connection with various\r\noffenses. But it wasn’t long before messages started arriving from other organizations too, in particular\r\nhomeowner associations.\r\nA typical malicious email contained an attachment of one of the following types:\r\nOffice document with a malicious macro\r\nJS script loading a Trojan\r\nPDF document with a link to an executable\r\nIt was around this time that the malware acquired its nickname: after encrypting files on the user’s hard drive, one\r\nof the Cryakl variants (Trojan-Ransom.Win32.Cryakl.bo) changed the desktop wallpaper to a picture of Fantomas,\r\nthe villain from the 1964 French film of the same name.\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 1 of 8\n\nLater, in 2016, we discovered an interesting modification of the ransomware with a rather cunning mode of\r\ndistribution. Today, an attack using specialized third-party software would raise few eyebrows, but it was not par\r\nfor the course in 2016, when Fantomas was distributed as a script for a popular Russian accounting program and a\r\nbusiness process management tool. The approach was indeed sneaky: employees were sent a message with a\r\nrequest to “update the bank classifier,” whereupon they opened the attached executable file.\r\nNeither was the attack vector surprising, since Cryakl mainly targeted users in Russia and most of the ransom\r\ndemands were written in Russian. However, further research showed that the cybercriminals who distributed\r\nFantomas did not limit themselves to the Russian market.\r\nIn 2016, we observed the growing complexity and variety of ransomware cryptors, including the emergence of\r\nready-made solutions such as Ransomware-as-a-Service (RaaS) for those lacking skills, resources, or time to\r\ncreate their own. Such services were circulated through an expanding and increasingly influential underground\r\necosystem.\r\nThis was the business model chosen by Cryakl’s creators: “partners” were invited to purchase the build of the\r\nmalware to attack users in other regions, allowing its authors to monetize the product for a second time.\r\nStatistics\r\nIn expanding its infrastructure, Cryakl also widened its attack geography. From the first infection until today, more\r\nthan 50,000 people in Russia—plus thousands more in Japan, Italy, and Germany — suffered at the evil hands of\r\nFantomas.\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 2 of 8\n\nGeographic distribution of users attacked by Cryakl\r\nData on Cryakl activity over the years shows that the first signs of life appeared in 2014.\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 3 of 8\n\nNumber of unique users on whose computers Cryakl was detected, 2014-2018\r\nAt around the time when the RaaS distribution model was deployed, Fantomas was on the rampage, increasing its\r\nattacks more than sixfold.\r\nDistinguishing features\r\nDespite the number and variety of modifications, the use of “partners,” and its long history, the malware cannot be\r\nsaid to have undergone any significant changes — the differences between the various versions was slight. This\r\nmakes it possible to identify the main features of Fantomas.\r\nCryakl is written in Delphi, but very amateurishly. This immediately jumped out when we took a look at one of\r\nthe first versions. The file operations were extremely ineffective, and the encryption algorithm was elementary and\r\nnot secure. We even thought we were dealing with a test build (especially since the internal version was\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 4 of 8\n\ndesignated 0.0.0.0). The overall impression was that Cryakl’s authors were not the most experienced virus writers.\r\nRecall that it all started with mailings about military conscription.\r\nThe first detected version of the malware did not change the names of the encrypted files, but placed a text\r\nstructure at the end of each file with the MD5 of the header, the MD5 of the file itself, its original size, offsets, and\r\nthe sizes of a few encrypted snippets. It ended with the tag {CRYPTENDBLACKDC}, required to distinguish\r\nencrypted files from unencrypted ones.\r\nThrough continued observations over the following months, we regularly discovered ever newer versions of\r\nCryakl: 1.0.0.0, 2.x.0.0, 3.x.0.0, …, 8.0.0.0. Different versions increasingly modified the encryption algorithm as\r\nwell as the file naming scheme (extensions started to appear of the type: id-{….08.2014 16@02@275587800}-\r\nemail-mserbinov@aol.com-ver-4.0.0.0.cbf). The text structure at the end of the file changed multiple times, and\r\nnew encryption and decryption data as well as various service information were added to it.\r\nAfter that, we found the Cryakl version CL 0.0.0.0 (not to be confused with 0.0.0.0), which had notable changes\r\nfrom previous modifications: besides encrypting parts of the file with a “homebrew” symmetric algorithm, for\r\nunknown reasons the Trojan now encrypted other parts with the RSA algorithm. Another marked change was the\r\nsending of key data used in the encryption to the attackers’ C\u0026C servers. The structure at the end of the encrypted\r\nfile was framed with new tags ({ENCRYPTSTART}, {ENCRYPTENDED}), required to determine the encrypted\r\nfiles.\r\nImage from one of the Cryakl CL 0.0.1.0 modifications\r\nIn version CL 1.0.0.0, the Trojan stopped sending keys via the Internet. Instead, data required for decryption was\r\nnow encrypted with RSA and placed in the structure at the end of the file.\r\nNothing changed fundamentally in the subsequent versions CL 1.1.0.0 – CL 1.2.0.0, only the size of the RSA keys\r\nincreased. This enhanced the overall level of encryption, but did not change the situation radically.\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 5 of 8\n\nImage from one of the Cryakl CL 1.2.0.0 modifications\r\nStarting with version CL 1.3.0.0, the Trojan (again for unknown reasons) stopped encrypting file regions with\r\nRSA. The algorithm was used only to encrypt keys, while file contents were processed by the slightly modified\r\n“homebrew” symmetric algorithm.\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 6 of 8\n\nImage from one of the Cryakl CL 1.2.0.0 modifications\r\nIn all versions of the malware, the cybercriminals left various email addresses for communication purposes. These\r\naddresses are contained in the names of encrypted files (for example, email-eugene_danilov@yahoo.com.ver-CL\r\n1.3.1.0.id-….randomname-FFIMEFJCNGATTMVPFKEXCVPICLUDXG.JGZ.lfl) and in the image set by the\r\nTrojan as the desktop wallpaper. Victims received reply emails containing a ransom sum in Bitcoin and a\r\ncryptocurrency wallet address to make the payment.\r\nOn receiving the funds, the cybercriminals sent the victim a decryptor tool and a key file.\r\nThe terms of payment varied: for example, the above-mentioned Trojan-Ransom.Win32.Cryakl.bo set a deadline\r\nof 48 hours. Moreover, the cybercriminals did not immediately say how much they wanted in return for their\r\n“help,” specifying the cost of the decryptor only in their reply emails. It’s not ruled out that the sum depended on\r\nthe number and quality of encrypted files. For example, in one case of infection, the cybercriminals demanded\r\n$1000. Before doing so, according to victims, they connected to the infected computer and deleted all backup\r\ncopies on it.\r\nFantomas is slain\r\nThe problem with Cryakl was that its newest versions employed asymmetric RSA encryption. The malware body\r\ncontained public keys used to encrypt user data. Without knowledge of the corresponding private keys, we could\r\nnot develop a decryption tool. The keys seized and handed over by the Belgian police enabled us to decipher\r\nseveral versions of the ransomware.\r\nFragment of the private RSA keys\r\nThe keys made it possible to reengineer the RakhniDecryptor tool to decrypt files encrypted with the following\r\nversions of Cryakl:\r\nTrojan version Cybercriminals’ email\r\nCL 1.0.0.0 cryptolocker@aol.com\r\niizomer@aol.com\r\nseven_Legion2@aol.com\r\noduvansh@aol.com\r\nivanivanov34@aol.com\r\ntrojanencoder@aol.com\r\nload180@aol.com\r\nmoshiax@aol.com\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 7 of 8\n\nvpupkin3@aol.com\r\nwatnik91@aol.com\r\nCL 1.0.0.0.u\r\ncryptolocker@aol.com_graf1\r\ncryptolocker@aol.com_mod\r\nbyaki_buki@aol.com_mod2\r\nCL 1.2.0.0\r\noduvansh@aol.com\r\ncryptolocker@aol.com\r\nCL 1.3.0.0 cryptolocker@aol.com\r\nCL 1.3.1.0\r\nbyaki_buki@aol.com\r\nbyaki_buki@aol.com_grafdrkula@gmail.com\r\nvpupkin3@aol.com\r\nSource: https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nhttps://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/"
	],
	"report_names": [
		"86511"
	],
	"threat_actors": [],
	"ts_created_at": 1775434854,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3bdf974e29fa033c099951915d1c0681a9cc6420.pdf",
		"text": "https://archive.orkl.eu/3bdf974e29fa033c099951915d1c0681a9cc6420.txt",
		"img": "https://archive.orkl.eu/3bdf974e29fa033c099951915d1c0681a9cc6420.jpg"
	}
}