What is CryptON ransomware? New campaign sees hackers exploiting Remote Desktop Services

In late 2017, MalwareHunterTeam discovered a new strain of ransomware dubbed CryptOn that relied on a malware dropper to gain foothold on a targeted system and demanded between 0.2 to 2 Bitcoin in ransom payments to unlock encrypted files. Now, researchers have uncovered a new campaign for the straightforward ransomware in which attackers are targeting Remote Desktop Services.

First discovered by Malwarebytes security researcher S!Ri, the new CryptOn campaign exploits the internet-accessible Remote Desktop Services to infiltrate the targeted computer and manually drop the ransomware. CryptOn encrypts a victim's files and appends them with the .ransomed@india.com extension. Each folder also includes a ransom note named HOWTODECRYPTFILES.html offering the victim details on what happened to their files and how to connect to a TOR site and receive payment instructions to restore their data.

Bleeping Computer reports there has already been a significant uptick in reported Crypton ransomware infections in May, as per their support request forums and ID-Ransomware.

However, there is currently no way for CryptON victims to decrypt their files for free. There is also no decryptor for the newer variant either. Victims will have to depend on their own backups or Shadow Volume Copies, if CryptON happened to fail to do remove them when encrypting files.