The common user experience when it comes to ransomware looks like this: you open a website then accidentally download and install a piece of software. You might even not notice that you’ve done that. For some time nothing happens and suddenly you see a notification that all your files are encrypted by a Trojan that wants money to return them back. You check to see if it’s true and see: all your files refuse to open. You also see that they are updated with the ominous .crypt extension.
If you find yourself in this predicament, it looks like your system has been infected with CryptXXX ransomware. It’s a very mean Trojan that encrypts files and steals your personal data and bitcoins. But we have good news: there is a free tool, which can cure your system from this infection.
What is CryptXXX?
If you are looking for the files decryption manual you can skip this part — just scroll down the info you are looking for is later in the article. Here we are going to first cover several facts about the Trojan.
In April, 15 Proofpoint researchers discovered a brand new ransomware which used Angler exploit kit to infect Windows devices. As cybercriminals had not given any name to their creation the researchers called it CryptXXX. It is possible that they chose that name as the Trojan had a nasty habit of adding the .crypt extension to the names of all infected files and XXX is Anglers second name.
CryptXXX is an interesting ransomware sample. It encrypts files on all attached data storage a short time after the PC has been infected. The criminals put this delay in to confuse victims and make it harder to detect which websites spread the malware.
10 tips to protect your files from ransomware https://t.co/o0IpUU9CHb #iteducation pic.twitter.com/I47sPIiWFF
— Kaspersky Lab (@kaspersky) November 30, 2015
Having finished encryption the Trojan creates three manuals: a text file, an image and an HTML web page. The image is set as a desktop wallpaper (maybe, for greater clarity). The web-page is opened in a browser, while the text file is left on the hard drive just in case. All manuals contain similar text.
They inform the victims that their files are encrypted with the help of RSA4096 — a stronger encryption algorithm — and demand a $500 ransom in bitcoins for bringing the data back. The user has to install the Tor browser and follow the link in the manual to open an onion-website, which includes detailed instructions and the form of payment. There is even the Frequently Asked Question page — everything for the ease of use!
CryptXXX is also very curious and greedy: not only does it encrypt the files, but it also steals bitcoins kept on victims’ hard drives and copies other data, which can be useful for cybercriminals.
It’s awful but we have a cure!
Usually it’s very hard to find a universal decryption algorithm for modern ransomware. That’s why very often the only thing a victim can do is pay the ransom. We don’t recommend doing this unless it is the last resort.
Fortunately, CryptXXX turned out to be not that difficult to crack. Kaspersky Lab experts created a tool that can help users to restore encrypted files.
#Alert We've got a #decryptor for those infected with #CryptXXX #Ransomware #infosec https://t.co/MTtTKQom79 pic.twitter.com/N56Wof2BZY
— Kaspersky Lab (@kaspersky) April 25, 2016
The RannohDecryptor utility was initially created to decrypt files, which suffered from Rannoh ransomware. In time it acquired additional and useful features. Now it can be used to cure your files from CryptXXX activity.
So if CryptXXX ransomware has found its way into your system, not everything is lost. To recover your files we will need the original (not encrypted) version of at least one file, which suffered from CryptXXX. If you have more files like this backed up, this will work.
Then you need to do the following:
- Download the tool and launch it.
- Open Settings and choose drive types (removable, network or hard drive) for scanning. Don’t check the “Delete crypted files after decryption” option until you are 100% that decrypted files open properly.
- Click the “Start scan” link and choose where the encrypted .crypt file lies (that file, for which you have an unencrypted copy as well).
- Then the tool will ask for the original file.
- After that RannohDecryptor starts searching for all other files with “.crypt” extension and tries to decrypt all files, which weigh less than your original. The bigger file you’ve feed to the utility — the more files would be decrypted.
Get ready beforehand!
It’s better not to tempt fate and prevent CryptXXX from infecting your PC beforehand. Our decryption tool works today, but criminals can soon release a new version of the same ransomware that would be smarter. Very often culprits change malware code in such a way that it becomes impossible to decrypt infected files. For example, this already happened with TeslaCrypt ransomware: there was once a utility tool which successfully cured encrypted files but now it’s almost useless.
#TeslaCrypt: Round Three – https://t.co/LAPH359dZp #ransomware pic.twitter.com/6m1MdgfmSz
— Kaspersky Lab (@kaspersky) December 15, 2015
Let’s also remember that CryptXXX steals personal data and money — sharing them with criminals is surely a bad idea.
To protect yourself follow these cybersecurity rules.
- Regularly make backups.
- Install all critical updates for your OS and browsers. Angler exploit kit, which is used by CryptXXX, leverages software vulnerabilities to download and install the ransomware.
- Install a proper security solution. Kaspersky Internet Security provides a multi-layered protection from ransomware. Kaspersky Total Security can complement the all-round protection with automatic backing up.
You can find more information on how to protect yourself from ransomware here.
Update: it seems that the bad guys became aware of our decryptor, as they’ve modified CryptXXX in a way our utility could no longer decrypt the files. We have good news: malware analysts at Kaspersky Lab updated the utility, and now it can deal with the new version of CryptXXX ransomware as well. You can find more information here: https://www.kaspersky.com/blog/cryptxxx-decryption-20/
Update 2: Solved again! Read more about how we’re winning the war with CryptXXX here: https://www.kaspersky.com/blog/cryptxxx-v3-ransomware/13628/