A new CrypBoss ransomware variant has been released called UmbreCrypt.  This ransomware family encrypts a victim's data with AES encryption and then requires them to email the developers for payment instructions. At this time there is no way to decrypt these files for free, but Fabian Wosar of Emsisoft is looking into modifying his current CrypBoss decrypter to work with this variant.

I have been told by numerous victims that they feel UmbreCrypt was manually installed through hacked terminal services or remote desktop. If you are infected with this ransomware, it is advised that you check your Windows event logs for failed login attempts to try and determine the account that was compromised.

Update 2/10/16 11:25 AM EST: Previous variants of this ransomware, such as HydraCrypt, have been shown to be distributed via exploit kits.  So it is not 100% sure if the distribution method is indeed hacked terminal services. Apologies for the unintentional clickbait. Still waiting word back from various victims to confirm.

The UmbreCrypt Encryption Process

When installed, UmbreCrypt will scan the C, D, E, F, G, and H drives on a computer for data files that match a particular extension. If it detects a targeted extension it will encrypt the files using AES encryption and append the umbrecrypt_ID_[victim_id] extension to the encrypted file.  For example, the file Chrysanthemum.jpg would become Chrysanthemum.jpg.umbrecrypt_ID_abdag113

The extensions targeted by UmbreCrypt are:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .unrec, .scan, .sum, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .m3u, .flv, .js, .css, .rb, .png, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .ppt, .xlk, , .xls, .wps, .doc, .odb, .odc, .odm, .odp, .odt, .dx, .mrw, .nef, .tiff, .bd, .tar.gz, .mkv, .bmp, .dot, .xml, .pps, .dat, .ods, .qba, .qbw, .ini.$$$, .$db, .001, .002, .003, .113, .73b, .__a, .__b, .ab, .aba, .abbu, .abf, .abk, .acp, .acr, .adi, .aea,.afi, .arc, , .as4, .asd, .ashbak, .asv, .asvx, .ate, .ati, .bac, .backup, .backupdb, .bak2, .bak3, .bakx, .bak~, .bbb, .bbz, .bck, .bckp, .bcm, .bdb, .bff, .bif, .bifx, .bk1, .bkc, .bkup, .bkz, .blend1, .blend2, .bm3, .bmk, .bpa, .bpb, .bpm, .bpn, .bps, .bup, .caa, .cbk, .cbs, .cbu, .ck9, .cmf, .crds, .csd, .csm, .da0, .dash, .dbk, .dim, .diy, .dna, .dov, .dpb, .dsb, .fbc, .fbf, .fbk, .fbu, .fbw, .fh	, .fhf, .flka, .flkb, .fpsx, .ftmb, .ful, .fwbackup, .fza, .fzb, .gb1, .gb2, .gbp, .ghs, .ibk, .icbu, .icf, .inprogress, .ipd, .iv2i, .jbk, .jdc, .kb2, .lcb, .llx, .mbf, .mbk, .mbw, .mdinfo, .mem, .mig, .mpb, .mv_, .nb7, .nba, .nbak, .nbd, .nbf, .nbi, .nbk, .nbs, .nbu, .nco, .nda, .nfb, .nfc, .npf, .nps, .nrbak, .nrs, .nwbak, .obk, .oeb, .old, .onepkg, .ori, .orig, .oyx, .paq, .pba, .pbb, .pbd, .pbf, .pbj, .pbx5script, .pbxscript, .pdb, .pqb, .pqb-backup, .prv, .psa, .ptb, .pvc, .pvhd, .qbb, .qbk, .qbm, .qbmb, .qbmd, .qbx, .qic, .qsf, .qualsoftcode, .quicken2015backup, .quickenbackup, .qv~, .rbc, .rbf, .rbk, .rbs, .rdb, .rgmb, .rmbak, .rrr, .sav, .sbb, .sbs, .sbu, .sdc, .sim, .skb, .sme, .sn1, .sn2, .sna, .sns, .spf, .spg, .spi, .sps, .sqb, .srr, .stg, .sv$, .sv2i, .tbk, .tdb, .tibkp, .tig, .tis, .tlg, .tmp, .tmr, .trn, .ttbk, .uci, .v2i, .vbk, .vbm, .vbox-prev, .vpcbackup, .vrb, .wbb, .wbcat, .wbk, .win, .wjf, .wpb, .wspak, .xbk, .xlk, .yrcbck, .~cw

UmbreCrypt also uses a directory name whitelist where any files that contain that directory name in their path will not be encrypted. The folders that are whitelisted are:

Windows, Program Files, PROGRAM FILES, Program Files (x86), PROGRAM FILES (x86), WINDOWS, ProgramData

For each folder that a file has been encrypted, UmbreCrypt will also create a ransom note named README_DECRYPT_UMBRE_ID_[victim_id].txt. 

When the program has finished encrypting the data it will display a ransom screen that provides information on what has happened to the victim's files. This information will also contain instructions that tell the victim they must send an email to the ransomware developers in order to receive payment information.

UmbreCrypt Ransom Screen
UmbreCrypt Ransom Screen

These instructions tell the victim to send their unique ID to umbredecrypt@engineer.com or umbrehelp@consultant.com and to wait for a "specialist" to get back to them with payment instructions.

At this time there is no way to recover the files for free, but we always suggest users try a program like ShadowExplorer to attempt to recover files via the Shadow Volume Copies.  If a decrypter is released, we will be sure to post about it at the site.


Files related to UmbreCrypt:


Registry entries related to UmbreCrypt:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update	"[path_to_installer.exe]"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264	"%AppData%\ChromeSetings3264\wosybiny.exe"
HKCU\Software\Microsoft\Windows\ChromeRandomAdress3264	[random].exe
HKCU\Software\Microsoft\Windows\ChromeSettiings3264	[path_to_installer.exe]
HKCU\Software\Microsoft\Windows\ChromeStarts3264	[path_to_installer.exe]
HKCU\Software\Microsoft\Windows\TRUECRT3264	TrueUMBRE


Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens