Ransomware
CryCryptor
aka CryCrypter · CryDroid
According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations.
CryCryptor, also known as CryCrypter, CryDroid, is a Android ransomware.
Background
NHS Digital reports that CryCryptor spreads through websites impersonating health organisations, and at the time of writing those sites targeted the Canadian health service. Because CryCryptor is not available on the Google Play store, devices configured to install only store-sourced apps are unaffected.
Once executed, CryCryptor encrypts common file types and drops a ransom note into each directory containing encrypted files. It appends the '.enc' extension to encrypted filenames and writes accompanying files holding the per-file salt value and an initialisation vector, using the extensions '.enc.salt' and '.enc.iv' respectively.
After encryption completes, a notification appears prompting the user to open the ransom note.
Source: Malpedia (Fraunhofer FKIE).