Ransomware Decryption Tool Releases

Wednesday, May 3, 2017 @ 12:05 PM gHale

A new decrypter released for the Cry128 strain from the CryptON ransomware.

Strains from the CryptON ransomware, such as the X3M and Nemesis, started appearing in December and researchers said they were all put together using the same builder. The Cry128 strain began appearing on April 22, said researchers at Emsisoft.

Ransomware Updates with New Components
Botnet Teams with Ransomware
Ransomware as a Profit Center: Report
Fending off Analysis, Ransomware will Cut Decryptor

The CryptON ransomware family generally infects systems via remote desktop service brute force attacks, which allow them to log into the victim’s server and execute the ransomware, the researchers said.

“Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. Since Cry128 does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\Windows, C:\Program Files and the user profile folder from the encryption operation, so that boot operation and other critical processes are not impacted,” Emsisoft researchers said in a blog post.

The Cry128 strain relies on a modified AES version working on 128 byte locks and with 1024 bit keys in ECB mode. Once the malware encrypts a file, the file appears to be 16 bytes larger than the original.

The Cry128 ransomware uses a payment portal that’s hosted on Tor and tor2web links.

If you’ve fallen victim to this ransomware, don’t despair and don’t pay the fees requested from you.

For those that end up a victim of this ransomware, the decrypter is available for free download from Emsisoft’s site.

Leave a Reply

You must be logged in to post a comment.