The master decryption keys for the CrySiS ransomware were released on Monday, allowing security researchers to help victims recover their files.
The move is surprising, but not unique. Last year, the alleged author of the crypto ransomware known as Locker published the keys required to decrypt victims’ files, and TeslaCrypt authors made a similar move earlier this year, when they decided to shut down their malicious project.
The master decryption keys for CrySiS were posted on Pastebin along with the information on how to use them. What’s more, a BleepingComputer.com forum member going by the username of crss7777 posted the Pastebin link in the CrySiS support topic.
While it’s not yet known who crss7777 might be, researchers believe that one of the ransomware’s authors decided to release the keys, considering the knowledge they had regarding the structure of the keys and because they released them as a C header file. However, the reason behind the move is still unknown.
Regardless of the reason, the good news is that the master decryption keys were deemed legitimate by the Kaspersky Lab security researchers who examined them. What’s more, the researchers have updated their RakhniDecryptor decryption program so that it can help CrySiS victims recover their encrypted files.
Files encrypted by the CrySiS ransomware are renamed to the format of [filename].id-[id].[email_address].xtbl, BleepingComputer’s Lawrence Abrams notes. Armed with this piece of information, affected users can identify whether the malware that encrypted their files was CrySiS or not.
Victims of this ransomware variant can now download Kaspersky Lab’s RakhniDecryptor to recover their encrypted files. Versions 1.17.8.0 and above include support for the CrySiS ransomware. Users simply need to allow the application to scan their computer for infected files (first it prompts the users to open an encrypted file by browsing to a folder affected by CrySiS and selecting a Word, Excel, PDF, audio, or image file).
The scan and decryption process might take a while, so users should be patient. Once the operation has been completed, the decryption tool should display a list with the recovered files.
Related: Decryption Tools Released for Bart, PowerWare Ransomware
Related: Radamant C&C Server Manipulated to Spew Decryption Keys
Related: Flaw in Linux Encryption Ransomware Exposes Decryption Key