Crystal Inactive

Ransomware group first observed in 2021. Uses TDSSKiller for deployment.
PDF Report Back to Groups
0
Total Victims
2021-08-01
First Seen
2022-03-17
Last Seen
0
Known TTPs
14.3d
Avg Delay
0
Negotiations
ONION URLS
uuffymxwemgxwam6en5e3jrrlsm34boxd7htcjzysmwgpi2zwhuqrb4d.onion
TOOLS
TDSSKiller Atera Chisel
FILE EXTENSIONS
.gone
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

Crystal_rule_1 Florian Roth 
rule Crystal_ransomware_1 {
    meta:
        description = "Detects Crystal ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "97fd6ffed6c00c7805a5f2505eca0bf742ce29a4d9af54ec00595745bfd4c47d"

    strings:
        $r0 = /README\..{3,10}/i
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "DECRYPT" nocase
        $h3 = { 5C D3 A2 BB F6 21 1A B9 10 1 }
        $s4 = "::::" nocase
        $h5 = { A5 C7 6D F5 DF 3C DC F0 30 A4 79 59 66 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
TypeValueDescriptionCopy
btc bc1qlylkbpprekm467spkdkml291v3yjpebr3edlhj Bitcoin ransom address observed in Crystal attacks
sha1 2b9231b2e10ccd0bc0b72cfe2bf9c65fb91115c2 Infrastructure linked to Crystal
ip 87.112.173.210 Infrastructure linked to Crystal
btc bc1qgwl5k4tx2kpu26dvyunvn0oyn5t4u690zgakzs Associated with Crystal ransomware
btc bc1qnj4j291a6291e1g6ep9jmqbshvefkst04yg40s Bitcoin ransom address observed in Crystal attacks
email help218@protonmail.com Infrastructure linked to Crystal
md5 b92a7069f96587a865fe4472783fa165 Malware sample hash observed in Crystal attacks
sha1 aea87ea8a5ab34b6c758dfaf693c78a439dbcc50 Dropper hash observed in Crystal attacks
sha1 4c4be1174e1a82602adbb399ae99a563e340b644 Dropper hash observed in Crystal attacks
md5 7218291f4b761ac7987f8274379440e3 Malware sample hash observed in Crystal attacks
sha256 e8cc8778e7031ae13572ada77e89b6f29066ceb5da336c81cab0a05cbf936ab0 Infrastructure linked to Crystal
sha256 622e558bbc3e0e860ddb5cc5f38066459a8b3b9cbc93a12cf31d75f6f873c151 Ransomware binary hash observed in Crystal attacks
tox E6FD00D49D2F3B80EC3D1ACF02B5AAF241C0FC73A61FEC3FF901CCC1CCDB2D09BEADE0CC26EC Infrastructure linked to Crystal
tox B6BD8ADCEEFEFB92EACEAD33C6A7AC7DEF03176666B5AAEFF083DB7B069AFCA7BEF1D5D683F3 Associated with Crystal ransomware
sha256 765c821d6cd0771811aa8b78c6c876f1554ac85cf81e193454f2fea143e68699 Ransomware binary hash observed in Crystal attacks

No ransom notes