February 22, 2017
Today, Avast released a decryptor for CryptoMix victim's that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victim's computer while there is no Internet connection or the computer cannot connect to the ransomware's Command & Control server.
When CryptoMix encrypts a file in offline mode, it uses encryption keys that can be reproduced by researchers. These keys can then be used to try and decrypt your files, and if one of these keys works, then it means the victim was encrypted in offline mode and the key can be used to decrypt the whole computer.
Currently, this decryptor can be used to decrypt .CRYPTOSHIELD, .scl, .rscl, .lesli, .rdmk, .code, and .rmd files. It is important to remember, though, that just because your encrypted file contains one of those extension, there is no guarantee it was encrypted in offline mode and is decryptable.
I still suggest that everyone who was infected by CryptoMix try the decryptor to be sure. If anyone has questions or needs help operating this decryptor, feel free to ask in our dedicated CryptoMix Help & Support Topic.
How to Decrypt Offline CryptoMix Files using the Avast Decryptor
In order to decrypt files encrypted by an offline CryptoMix encryption, a user must have both an encrypted files and its unencrypted version. In order to find a matching pair of encrypted and unencrypted files, I suggest people use the sample pictures folder located at C:\Users\Public\Pictures\Sample Pictures. Thes images in this folder are almost always encrypted and their unencrypted versions can easily be downloaded from another computer.
To get started, I suggest you create a folder on your desktop called decrypt on the encrypted computer. Then copy one encrypted file from the C:\Users\Public\Pictures\Samples Pictures folder into this decrypt folder. As the latest version of CryptoMix, called CryptoShield, encrypts the filenames using ROT-13, you first need to decrypt the file name.
To do this, go to http://rumkin.com/tools/cipher/rot13.php and enter the filename of the encrypted file without the .CRYPTOSHIELD extension. For example, if an encrypted file was named CRATHVAF.WCT.CRYPTOSHIELD, you would only enter CRATHVAF.WCT into the website. Once you enter the filename, the web site will automatically decrypt the file so you can see its original filename as shown below.
Decrypting the ROT-13 Filename
As you can see from the above image, the decrypted filename is Penguins.jpg. Now that we know the original name of the encrypted files, you can copy an unencrypted version from another computer into the decrypt folder as well.
When you have both the encrypted version and unencrypted version in the decrypt folder, it should look like this.
Now that we have our pair of files ready, we can start the decryption process. Please use the link below to download the CryptoMix decryptor from Avast's website and save it to the desktop.
Once the file has downloaded, double-click on the avast_decryptor_cryptomix.exe file to launch it. When you launch the program you will be greeted by the main decryptor screen as shown below.
At this screen, click on the Next button to be brought to a screen asking you to select the drives you wish to decrypt. Please add each drive or folder that you wish to decrypt in the screen shown below.
Select Locations to Decrypt
Once you have added all of the locations you wish to decrypt, click on the Next button. You will now be at a screen asking you to select the encrypted and unencrypted file pair that we put in our decrypt folder on the desktop.
Add Encrypted and Unencrypted File Pair
For each field in the screen above, click on the button and select the appropriate file from the decrypt folder on your desktop. When you have selected the matching encrypted and original file, click on the Next button. You will now be brought to a screen asking you to start searching for a key to your files as shown below.
Crack the Password Screen
When you are ready, click on the Start button. The decryptor will now check your file against many known offline decryption keys. If one is found it will display a screen similar to the one below.
CryptoMix Decryption Password Found!
Now click on the Next screen to see various decryption options that you can select.
I suggest that you keep both options enabled as shown in the image above. Once you have decided what options to keep, click on the Decrypt button to begin decrypting the files encrypted by CryptoMix. The decryption process can take quite a while, so please be patient.
Decrypting CryptoMix Encrypted Files
When the decryption is finished you will be shown a screen like the one below.
Now that the decryption has completed, you can close the program.
If the decryptor was unable to decrypt your files, then that means your computer was not offline at the time of the encryption or that your particular key was not recovered yet. Hopefully a key will be recovered for you in the future.
Encrypted Offline File Extensions that can be Decrypted :
News Courtesy : https://www.bleepingcomputer.com/news/security/avast-releases-a-decryptor-for-offline-versions-of-the-cryptomix-ransomware/