Connect with us

Hi, what are you looking for?


Malware & Threats

CrySiS Ransomware Master Decryption Keys Released

The master decryption keys for the CrySiS ransomware were released on Monday, allowing security researchers to help victims recover their files.

The master decryption keys for the CrySiS ransomware were released on Monday, allowing security researchers to help victims recover their files.

The move is surprising, but not unique. Last year, the alleged author of the crypto ransomware known as Locker published the keys required to decrypt victims’ files, and TeslaCrypt authors made a similar move earlier this year, when they decided to shut down their malicious project.

The master decryption keys for CrySiS were posted on Pastebin along with the information on how to use them. What’s more, a forum member going by the username of crss7777 posted the Pastebin link in the CrySiS support topic.

While it’s not yet known who crss7777 might be, researchers believe that one of the ransomware’s authors decided to release the keys, considering the knowledge they had regarding the structure of the keys and because they released them as a C header file. However, the reason behind the move is still unknown.

Regardless of the reason, the good news is that the master decryption keys were deemed legitimate by the Kaspersky Lab security researchers who examined them. What’s more, the researchers have updated their RakhniDecryptor decryption program so that it can help CrySiS victims recover their encrypted files.

Files encrypted by the CrySiS ransomware are renamed to the format of [filename].id-[id].[email_address].xtbl, BleepingComputer’s Lawrence Abrams notes. Armed with this piece of information, affected users can identify whether the malware that encrypted their files was CrySiS or not.

Victims of this ransomware variant can now download Kaspersky Lab’s RakhniDecryptor to recover their encrypted files. Versions and above include support for the CrySiS ransomware. Users simply need to allow the application to scan their computer for infected files (first it prompts the users to open an encrypted file by browsing to a folder affected by CrySiS and selecting a Word, Excel, PDF, audio, or image file).

Advertisement. Scroll to continue reading.

The scan and decryption process might take a while, so users should be patient. Once the operation has been completed, the decryption tool should display a list with the recovered files.

Related: Decryption Tools Released for Bart, PowerWare Ransomware

Related: Radamant C&C Server Manipulated to Spew Decryption Keys

Related: Flaw in Linux Encryption Ransomware Exposes Decryption Key

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...