CryptXXX had been identified by ProofPoint earlier in the month and described as being closely linked to the Reveton ransomware operation and Angler/Bedep. The ransom of $500 is considered to be quite high, but Kaspersky's free decryption tool means that files can be retrieved without having to part with a cent.
CryptXXX uses RSA4096, but Kaspersky's John Snow says that it is "very curious and greedy: not only does it encrypt the files, but it also steals bitcoins kept on victims’ hard drives and copies other data, which can be useful for cybercriminals". The ransomware encrypts not only local files, but those on attached storage devices, and there is a delay between infection and encryption to make detection trickier.
Despite the use of RSA4096, CryptXXX is "not that difficult to crack". Kaspersky had previously created the RannohDecryptor tool to decrypt files on computer hit by Rannoh ransomware. Now the company has updated the tool so it can also handle CryptXXX files.
Kaspersky explains:
If CryptXXX ransomware has found its way into your system, not everything is lost. To recover your files we will need the original (not encrypted) version of at least one file, which suffered from CryptXXX. If you have more files like this backed up, this will work. Then you need to do the following:
If you've been struck by a CryptXXX infection, grab yourself a copy of the decryption tool from Kaspersky.
- Download the tool and launch it.
- Open Settings and choose drive types (removable, network or hard drive) for scanning. Don’t check the "Delete crypted files after decryption" option until you are 100% that decrypted files open properly.
- Click the "Start scan" link and choose where the encrypted .crypt file lies (that file, for which you have an unencrypted copy as well).
- Then the tool will ask for the original file.
- After that RannohDecryptor starts searching for all other files with ".crypt" extension and tries to decrypt all files, which weigh less than your original. The bigger file you’ve feed to the utility -- the more files would be decrypted.
Photo credit: Bacho / Shutterstock
~ Mark Wilson
0 comments:
Post a Comment