HOMETHREATSCryCryptor
MALWARE FAMILY

CryCryptor

Internal ID: apk.crycryptor
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

Threat Analysis

CryCryptor is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

apk.crycryptor

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.