{
	"id": "dad9e83c-a902-4739-9270-1e0008e8afbb",
	"created_at": "2026-04-06T01:31:55.610024Z",
	"updated_at": "2026-04-10T03:20:36.577377Z",
	"deleted_at": null,
	"sha1_hash": "8fd346032379b9f4863a55c841ab80735abbdbe7",
	"title": "Look for a fix, get malware instead: examining the Cyrat ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34877,
	"plain_text": "Look for a fix, get malware instead: examining the Cyrat\r\nransomware\r\nBy Karsten Hahn\r\nPublished: 2021-06-22 · Archived: 2026-04-06 00:55:50 UTC\r\nEncryption\r\nCyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files\r\nthat fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even\r\nproblematic. This ransomware encrypts whole files regardless how big they are, whereas Fernet is unsuitable for\r\nbig files.\r\nA public RSA key is used to encrypt the Fernet key. This public key is downloaded from Mediafire instead of\r\nshipping it with the ransomware. This adds another dependency. The encrypted Fernet key is saved in\r\nDesktop\\EMAIL_US.txt. A user with an infected system is required to send this file to the criminals.\r\nCyrat appends .CYRAT to encrypted files. It has a list of folders that it checks for target files. Those folders are\r\n'Desktop', 'Downloads', 'Pictures', 'Music', 'Videos', and 'Documents'.\r\nIt targets files with the following extensions: 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'boop', 'pst', 'ost', 'msg', 'eml',\r\n'vsd', 'vsdx', 'txt', 'csv', 'rtf', '123', 'wks',  'wk1', 'pdf', 'dwg', 'onetoc2', 'snt', 'jpeg', 'jpg', 'docb', 'docm', 'dot', 'dotm',\r\n'dotx', 'xlsm', 'xlsb', 'xlw', 'xlt', 'xlm', 'xlc', 'xltx', 'xltm', 'pptm', 'pot', 'pps', 'ppsm', 'ppsx', 'ppam', 'potx', 'potm', 'edb',\r\n'hwp', '602', 'sxi', 'sti', 'sldx', 'sldm', 'sldm', 'vdi', 'vmdk', 'vmx', 'gpg', 'aes', 'PAQ', 'bz2', 'tbk', 'bak', 'tar', 'tgz', 'gz',\r\n'7z', 'rar', 'zip', 'backup', 'iso', 'vcd', 'bmp', 'png', 'gif', 'raw', 'tif', 'tiff', 'nef', 'psd', 'ai', 'svg', 'djvu', 'm4u', 'm3u', 'mid',\r\n'wma', 'flv', '3g2', 'asf', 'mpeg', 'vob', 'mpg', 'swf', 'wav', 'mp3', 'sh', 'class', 'jar', 'java', 'rb', 'asp', 'php', 'jsp', 'brd',\r\n'dch', 'dip', 'pl', 'vb', 'vbs', 'ps1', 'bat', 'cmd', 'asm', 'h', 'pas', 'c', 'cs', 'suo', 'sln', 'ldf', 'mdf', 'ibd', 'myi', 'myd', 'frm',\r\n'odb', 'dbf', 'db', 'mdb', 'accdb', 'sql', 'sqlitedb', 'sqlite3', 'lay6', 'lay', 'mml', 'sxm', 'otg', 'odg', 'uop', 'std', 'sxd', 'otp',\r\n'odp', 'wb2', 'slk', 'dif', 'stc', 'sxc', 'ots', 'ods', '3dm', 'max', '3ds', 'uot', 'stw', 'sxw', 'ott', 'odt', 'p12', 'csr', 'key', 'pfx',\r\n'der', 'deb', 'mpeg', 'WEBM', 'MPG', 'MP2', 'MPEG', 'MPE', 'MPV', 'OGG', '3gp', 'mp3', 'json', 'css', 'html', 'py',\r\n'exe', 'MP2', 'MPEG', 'MPE', 'MPV', 'OGG', '3gp', 'mp3'\r\nThe ransomware lists a few more extensions with a dot in them which is a bug: '.ARC', '.cpp', '.cgm', '.js', '.fla',\r\n'.asc', '.crt', '.sch'. These extensions will never be found by Cyrat because the file path is stripped from dots before\r\nit is compared with the target extension.\r\nA ransom note named RANSOME_NOTE.txt is placed in every target folder. Furthermore a ransomware stock\r\nphoto is downloaded from images.idgesg.net to Documents\\background_img.png and set as wallpaper. The\r\nwallpaper does not contain any ransom message. In this state the stock photo's only purpose is to draw attention to\r\nthe user.\r\nhttps://www.gdatasoftware.com/blog/cyrat-ransomware\r\nPage 1 of 2\n\nSource: https://www.gdatasoftware.com/blog/cyrat-ransomware\r\nhttps://www.gdatasoftware.com/blog/cyrat-ransomware\r\nPage 2 of 2\n\n'Desktop', 'Downloads', It targets files 'Pictures', with the following 'Music', 'Videos', extensions: and 'Documents'. 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'boop', 'pst', 'ost', 'msg', 'eml',\n'vsd', 'vsdx', 'txt', 'csv', 'rtf', '123', 'wks', 'wk1', 'pdf', 'dwg', 'onetoc2', 'snt', 'jpeg', 'jpg', 'docb', 'docm', 'dot', 'dotm',\n'dotx', 'xlsm', 'xlsb', 'xlw', 'xlt', 'xlm', 'xlc', 'xltx', 'xltm', 'pptm', 'pot', 'pps', 'ppsm', 'ppsx', 'ppam', 'potx', 'potm', 'edb',\n'hwp', '602', 'sxi', 'sti', 'sldx', 'sldm', 'sldm', 'vdi', 'vmdk', 'vmx', 'gpg', 'aes', 'PAQ', 'bz2', 'tbk', 'bak', 'tar', 'tgz', 'gz',\n'7z', 'rar', 'zip', 'backup', 'iso', 'vcd', 'bmp', 'png', 'gif', 'raw', 'tif', 'tiff', 'nef', 'psd', 'ai', 'svg', 'djvu', 'm4u', 'm3u', 'mid',\n'wma', 'flv', '3g2', 'asf', 'mpeg', 'vob', 'mpg', 'swf', 'wav', 'mp3', 'sh', 'class', 'jar', 'java', 'rb', 'asp', 'php', 'jsp', 'brd',\n'dch', 'dip', 'pl', 'vb', 'vbs', 'ps1', 'bat', 'cmd', 'asm', 'h', 'pas', 'c', 'cs', 'suo', 'sln', 'ldf', 'mdf', 'ibd', 'myi', 'myd', 'frm',\n'odb', 'dbf', 'db', 'mdb', 'accdb', 'sql', 'sqlitedb', 'sqlite3', 'lay6', 'lay', 'mml', 'sxm', 'otg', 'odg', 'uop', 'std', 'sxd', 'otp',\n'odp', 'wb2', 'slk', 'dif', 'stc', 'sxc', 'ots', 'ods', '3dm', 'max', '3ds', 'uot', 'stw', 'sxw', 'ott', 'odt', 'p12', 'csr', 'key', 'pfx',\n'der', 'deb', 'mpeg', 'WEBM', 'MPG', 'MP2', 'MPEG', 'MPE', 'MPV', 'OGG', '3gp', 'mp3', 'json', 'css', 'html', 'py',\n'exe', 'MP2', 'MPEG', 'MPE', 'MPV', 'OGG', '3gp', 'mp3'    \nThe ransomware lists a few more extensions with a dot in them which is a bug: '.ARC', '.cpp', '.cgm', '.js', '.fla',\n'.asc', '.crt', '.sch'. These extensions will never be found by Cyrat because the file path is stripped from dots before\nit is compared with the target extension.     \nA ransom note named RANSOME_NOTE.txt  is placed in every target folder. Furthermore a ransomware stock\nphoto is downloaded from images.idgesg.net  to Documents\\background_img.png  and set as wallpaper. The\nwallpaper does not contain any ransom message. In this state the stock photo's only purpose is to draw attention to\nthe user.       \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/cyrat-ransomware"
	],
	"report_names": [
		"cyrat-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439115,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fd346032379b9f4863a55c841ab80735abbdbe7.pdf",
		"text": "https://archive.orkl.eu/8fd346032379b9f4863a55c841ab80735abbdbe7.txt",
		"img": "https://archive.orkl.eu/8fd346032379b9f4863a55c841ab80735abbdbe7.jpg"
	}
}