Ransomware Decryption Tool Updated

Monday, May 16, 2016 @ 02:05 PM gHale


Kaspersky Lab just updated the decryption tool to adapt to the second version of CryptXXX.

It was not long ago when CryptXXX got an upgrade to not only get around decryption tools, it can also halt users from accessing their files.

RELATED STORIES
Ransomware Knocks Out Entire PC
New Attack Approach for Revised Ransomware
Ransomware Infections Continue Growth
Ransomware Attack Hurts MI Utility

CryptXXX first spotted in mid-April by security firm Proofpoint, worked just like any other crypto-ransomware where it would infect targets via malvertising, encrypt their files, and ask for a ransom.

Users had full access to their computers, except to the encrypted files. They could still use the “same computer” to go online, buy Bitcoin, and pay the ransom.

Things looked good for victims as security company, Kaspersky Labs, released an update to their RannohDecryptor that included the ability to analyze and crack CryptXXX’s encryption.

This modification allowed CryptXXX victims to download Kaspersky’s decrypter and run it instead of going online and paying the ransom.

That didn’t last too long as almost two weeks after Kaspersky released its free decryption tool, Proofpoint reported on the emergence of CryptXXX version 2 which included an update that defeat the tool.

Not any more though, a Kaspersky released the updated RannohDecryptor 1.9.1.0.

“The updated version of CryptXXX ransomware has been successfully decrypted; and a new version of the Kaspersky Lab decryption tool can now help the victims of CryptXXX v2,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab. “This tool supports the decryption of about 40 popular file formats, including documents, archives, images, etc. Unfortunately, it is not possible to decrypt any arbitrary file format.”

Users can download the tool here for free.

Some notes from the Kaspersky folks on the update include:

1. We support decryption of about 40 popular file formats, including documents, archives, images, etc. Unfortunately, there is no possibility to decrypt any arbitrary file format.

2. Decryption may take some time. Generally, the 1st file gets decrypted within several minutes, and all subsequent files in a matter of seconds (each). In the worst case every file will take several minutes.

3. Original copy is not needed for Cryptxxx v2.

“While this tool will help those infected decrypt their .crypt files, we know criminals will always look to evolve to stop workarounds from good guys in cybersecurity,” said Kaspersky’s Jeffrey Esposito in a blog post. “It is an unfortunate reality in the current world we live in.’