Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CrySiS Ransomware Master Decryption Keys Released

The master decryption keys for the CrySiS ransomware were released on Monday, allowing security researchers to help victims recover their files.

The master decryption keys for the CrySiS ransomware were released on Monday, allowing security researchers to help victims recover their files.

The move is surprising, but not unique. Last year, the alleged author of the crypto ransomware known as Locker published the keys required to decrypt victims’ files, and TeslaCrypt authors made a similar move earlier this year, when they decided to shut down their malicious project.

The master decryption keys for CrySiS were posted on Pastebin along with the information on how to use them. What’s more, a BleepingComputer.com forum member going by the username of crss7777 posted the Pastebin link in the CrySiS support topic.

While it’s not yet known who crss7777 might be, researchers believe that one of the ransomware’s authors decided to release the keys, considering the knowledge they had regarding the structure of the keys and because they released them as a C header file. However, the reason behind the move is still unknown.

Regardless of the reason, the good news is that the master decryption keys were deemed legitimate by the Kaspersky Lab security researchers who examined them. What’s more, the researchers have updated their RakhniDecryptor decryption program so that it can help CrySiS victims recover their encrypted files.

Files encrypted by the CrySiS ransomware are renamed to the format of [filename].id-[id].[email_address].xtbl, BleepingComputer’s Lawrence Abrams notes. Armed with this piece of information, affected users can identify whether the malware that encrypted their files was CrySiS or not.

Victims of this ransomware variant can now download Kaspersky Lab’s RakhniDecryptor to recover their encrypted files. Versions 1.17.8.0 and above include support for the CrySiS ransomware. Users simply need to allow the application to scan their computer for infected files (first it prompts the users to open an encrypted file by browsing to a folder affected by CrySiS and selecting a Word, Excel, PDF, audio, or image file).

The scan and decryption process might take a while, so users should be patient. Once the operation has been completed, the decryption tool should display a list with the recovered files.

Advertisement. Scroll to continue reading.

Related: Decryption Tools Released for Bart, PowerWare Ransomware

Related: Radamant C&C Server Manipulated to Spew Decryption Keys

Related: Flaw in Linux Encryption Ransomware Exposes Decryption Key

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.