ESET Crysis decryptor to rescue files encrypted by the Crysis ransomware

Pierluigi Paganini November 22, 2016

ESET security firm has included master decryption keys into a decryption tool that allows rescuing the encrypted files without paying the ransom.

Good news for the victims of the Crysis ransomware, ESET security firm has included master decryption keys into a tool that allows rescuing the encrypted files.

The decryption keys for the CrySis ransomware were posted online on the BleepingComputer.com forum by a user known as crss7777 who shared a link to a C header file containing the actual master decryption keys and information on how to utilize them.

“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” wrote Lawrence Abrams from BleepingComputer.

“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”

CrySis ransomware Taken from BleepingComputer.com

Lawrence Abrams speculates the user crss7777 could be a member of the development team.

“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” said Abrams.

“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

The CrySis ransomware was first spotted in February by ESET, it has infected systems mostly in Russia, Japan, South and North Korea, and Brazil.

The malware spreads via email attachments with double file extensions or via malicious links embedded in spam emails.

The ransomware is able to encrypt more than 200 file types searching for them on internal and external storage, and network shares, and deleting backup shadow files.

The CrySis ransomware appends the .xtbl extension to the encrypted files, the files are renamed following the following format [filename].id-[id].[email_address].xtbl.

In June the experts observed a peak in the number of infections, likely due to the dead of TeslaCrypt.

Security experts observed that in Australia and New Zealand the Crysis ransomware was targeted businesses exploiting remote desktop connections and compromising routers to re-infect cleaned up computers.

“Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February this year, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.” reported Trend Micro in a blog post.

It is not clear why crooks dropped the decryption keys, likely they tried to ease the pressure of law enforcement that were trying to identify the operators behind the malware.

ESET has included the decryption keys in a free tool,  ESET Crysis decryptor, and published instructions to use it.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CrySis ransomware, cybercrime)



you might also like

leave a comment