HOMETHREATSCryCryptor
APT / THREAT GROUP

CryCryptor

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

Threat Analysis

CryCryptor is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Quick Facts

TypeAPT / Threat Group
Aliases4

Also Known As

CryDroidapk.crycryptorCryCryptorCryCrypter

External Intelligence

Malpedia: apk.crycryptor

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
CryCryptor — APT / Threat Group | Threat Intelligence | CTIWATCH.COM