CrySis Ransomware Master Decryption Keys Released

The master decryption keys unlocking files encrypted by the CrySis ransomware have been released. Kaspersky Lab has already updated its Rakhni decryptor to help victims restore their data.

The threat posed by a ransomware family known as CrySis was diminished considerably on Sunday when the master decryption keys were released to the public.

Researchers at Kaspersky Lab said they have already folded the keys into the company’s Rakhni decryptor and victims of CrySis versions 2 and 3 now have a means of recovering their lost files.

The key was posted at 1 a.m. Eastern time to the BleepingComputer.com forums by a user known only as crss7777, said founder Lawrence Abrams. Abrams speculates that it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them.

“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” Abrams said. “Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

CrySis surfaced in February after a report by researchers at Eset said the ransomware was quickly gaining favor from hackers after the decryption of TeslaCrypt ransomware. CrySis spread via email attachments with double file extensions or through links in spam messages. It was also found lurking in Trojanized versions of freely available software such as compression programs like WinRAR. Like most ransomware, it could encrypt a large number of file types and sought to encrypt data stored on shared drives. Documents encrypted by CrySis have their filenames changed to include a .xtbl extension and an email address, similar to [filename].id-[id].[email_address].xtbl, BleepingComputer said.

Kaspersky researchers said CrySis accounted for 1.15 percent of ransomware infections this year, with most of the victims found in Russia, Japan, South and North Korea, and Brazil.

A number of virulent ransomware families have been extinguished this year, including CryptXXX, TeslaCrypt, Chimera, Jigsaw and others.

Ransomware has been among the most feared malware threats of the year; attacks have taken large organizations in a number of industries offline and have impacted customer service. A number of high-profile attacks against hospitals and utilities put ransomware on the map as patient care was impacted in a couple of attacks as organizations wrestled with the question of whether to pay the attackers’ demands.

In the meantime, the FBI put out a number of warnings about ransomware, urging businesses to be vigilant about patching software that could be targeted by exploit kits spreading the malware, or about email campaigns spreading these infections.

“The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation,” the FBI said in May.

In September, the FBI made a public plea to organizations that have been ransomware victims to share incident reports, looking for details on how the infection happened, any losses incurred, the attackers’ Bitcoin wallet address and more.

Suggested articles