FANDOM


DynA-Crypt is a ransomware that not only encrypts the victim's data, but also tries to steal a ton of information from a victim's computer.

According to PCRisk, this program was created by a malware creation kit that allows any would be criminal to create their own malware.

Payload

While running, DynA-Crypt will take screenshots of the user's active desktop, record system sounds from their computer, log commands the user types on the keyboard, and steal data from numerous installed programs.

The programs and data that DynACrypt steals includes:

  • Screenshots
  • Skype
  • Steam
  • Chrome
  • Thunderbird
  • Minecraft
  • TeamSpeak 
  • Firefox
  • Recordings of system audio

When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, When it is ready to send to send to the developer, it will zip it all up into a file called %LocalAppData%\loot.zip, and email it to the developer.

After it steals the user's data, it also deletes many of the folders that it stole from. The PowerShell script will scan a computer for files that match the following extensions and encrypt them:

.jpg, .jpeg, .docx, .doc, .xlsx, .xls, .ppt, 
.pdf, .mp4, .mp3, .mov, .mkv, .png, .pst, 
.odt, .avi, .pptx, .msg, .rar, .mdb, .zip, 
.m4a, .csv, .001

When it encrypts a file it will append the .crypt extension to the encrypted file's name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt.  The ransomware will also delete the computer's Shadow Volume Copies so that the user is unable to use it to recover files.

When done encrypting a computer, DynA-Crypt will display a lock screen asking the user to pay $50 USD in bitcoins to an enclosed bitcoin address.

Community content is available under CC-BY-SA unless otherwise noted.