{
	"id": "603bb950-b552-4447-99a8-512e9e580881",
	"created_at": "2026-04-06T00:09:12.797093Z",
	"updated_at": "2026-04-10T13:12:59.176465Z",
	"deleted_at": null,
	"sha1_hash": "8b239a6686cf61170442a33d619a8348a78462e1",
	"title": "New Arena Crysis Ransomware Variant Released",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 791761,
	"plain_text": "New Arena Crysis Ransomware Variant Released\r\nBy Lawrence Abrams\r\nPublished: 2017-08-25 · Archived: 2026-04-05 21:04:21 UTC\r\nYesterday, ID-Ransomware's Michael Gillespie discovered a new variant of the Crysis/Dharma ransomware that is\r\nappending the .arena extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past\r\nCrysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware.\r\nWhen this ransomware is installed, it will scan the computer for certain file types and encrypt them. When encrypting a file\r\nit will append an extension in the format of .id-[id].[email].arena. For example, a file called test.jpg would be encrypted and\r\nrenamed to test.jpg.id-BCBEF350.[chivas@aolonline.top].arena.\r\nIt should be noted that this ransomware will encrypt mapped network drives and unmapped network shares. So it is\r\nimportant to make sure your network's shares are locked down so that only those who actually need access have permission.\r\nYou can see an example of an encrypted folder below.\r\nhttps://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFiles encrypted with the Crysis Arena Ransomware Variant\r\nWhile encrypting a computer it will also remove all of the shadow volume copies so that you cannot use them to restore\r\nyour files. It deletes them by running the vssadmin  delete shadows /all /quiet command.\r\nThe Arena Crysis variant will also create two ransom notes. One is the info.hta file, which is launched by an autorun.\r\nCrysis Arena Ransom Note\r\nThe other note is called FILES ENCRYPTED.txt.\r\nFILES Encrypted Ransom Note\r\nBoth of these ransom notes contain instructions to contact chivas@aolonline.top in order to get payment instructions.\r\nhttps://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/\r\nPage 3 of 5\n\nFinally, the ransomware will configure itself to automatically start when you login to Windows. This allows it to encrypt\r\nnew files that are created since it was last executed.\r\nIt is not possible to decrypt the Crysis Arena Ransomware Variant\r\nUnfortunately, at this time it is not possible to decrypt .arena files encrypted by the Crysis Ransomware for free.\r\nThe only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies.\r\nThough Crysis does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for\r\nwhatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore\r\nencrypted files from Shadow Volume Copies as well.\r\nFor those who wish to discuss the Crysis ransomware or need support, you can use our dedicated Crysis Ransomware Help\r\n\u0026 Support Topic.\r\nHow to protect yourself from the Crysis Ransomware\r\nIn order to protect yourself from Crysis, or from any ransomware, it is important that you use good computing habits and\r\nsecurity software. First and foremost, you should always have a reliable and tested backup of your data that can be restored\r\nin the case of an emergency, such as a ransomware attack.\r\nYou should also have security software that contains behavioral detections such as Emsisoft Anti-Malware or Malwarebytes.\r\nLast, but not least, make sure you practice the following good online security habits, which in many cases are the most\r\nimportant steps of all:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nIf you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessibly only\r\nvia a VPN.\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\n \r\nIOCs\r\nHash:\r\nARENA SHA256: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e\r\nArena Crysis Ransomware FILES ENCRYPTED.TXT Ransom Note:\r\nall your data has been locked us\r\nYou want to return?\r\nwrite email chivas@aolonline.top\r\nArena Crysis Ransomware INFO.hta Ransom Note:\r\nhttps://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/\r\nPage 4 of 5\n\nAll your files have been encrypted!\r\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-Write this ID in the title of your message [id]\r\nIn case of no answer in 24 hours write us to theese e-mails:chivas@aolonline.top\r\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you\r\nFree decryption as guarantee\r\nBefore paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archi\r\nHow to obtain Bitcoins\r\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller b\r\nhttps://localbitcoins.com/buy_bitcoins\r\nAlso you can find other places to buy Bitcoins and beginners guide here:\r\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\r\nAttention!\r\nDo not rename encrypted files.\r\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\r\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can b\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/\r\nhttps://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/"
	],
	"report_names": [
		"new-arena-crysis-ransomware-variant-released"
	],
	"threat_actors": [],
	"ts_created_at": 1775434152,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b239a6686cf61170442a33d619a8348a78462e1.pdf",
		"text": "https://archive.orkl.eu/8b239a6686cf61170442a33d619a8348a78462e1.txt",
		"img": "https://archive.orkl.eu/8b239a6686cf61170442a33d619a8348a78462e1.jpg"
	}
}