Rewterz Threat Alert – Indicators of Compromise – GetCrypt Ransomware

Wednesday, May 29, 2019



Analysis Summary

A new ransomware family called GetCrypt being distributed through malvertising campaigns. The campaigns redirected users to a site hosting the RIG exploit kit, which was used to try and exploit vulnerabilities found on the computer. Successful exploitation led to the download of the GetCrypt ransomware that first checks the victim host’s language and terminates if it is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is not terminated, it first clears all volume shadow copies to prevent potential recovery efforts. It then scans the system to identify files to be encrypted and performs the encryption using the Salsa20 and RSA-4096 encryption algorithms. A ransom note is left behind demanding payment in exchange for the decryption key. Along with encrypting accessible network drives, this malware is unique in its use of brute force attacks to attempt to mount shares requiring additional authentication.

GetCrypt Ransom Note

GetCrypt will also change your desktop background to the following image.

GetCrypt Wallpaper


  • File encryption
  • Loss of sensitive information

Indicator of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169


Block threat indicator at your respective controls.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 14, June 2019 Rewterz Threat Alert – Advanced Attack Tools Target Non-patched Systems to Distribute Cryptocurrency Miners
  • 14, June 2019 Rewterz Threat Advisory – HP Service Manager Multiple Security Bypass Vulnerabilities
  • 14, June 2019 Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
  • 14, June 2019 Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Copyright © Rewterz. All rights reserved.