December 21, 2016
If you are a CryptXXX Ransomware victim who didn't pay the ransom and instead decided to store their encrypted files and ransom notes for future fixes then you are in luck. Today, Kaspersky announced that they have updated their RannohDecryptor utility to decrypt CryptXXX encrypted files that have the .crypt, .cryp1, and .crypz extension.
We have been monitoring CryptXXX since it was released in April 2016 and it has become one of the most widely reported ransomware families in our forums. Kaspersky has seen this as well, with their customers having been attacked by CryptXXX at least 80,000 times since April 2016. According to a press release by Kaspersky, more than half were found in six countries: US, Russia, Germany, Japan, India and Canada.
CryptXXX Attacks by Country since April 2016
Though Kaspersky was able to retrieve many of the decryption keys for the CryptXXX ransomware, not all of them were recovered. This means that even if you have a supported variant of CryptXXX, there is no guarantee that the decryptor will be able to decrypt your files. If you are affected by the .crypt, .cryp1 and .crypz variants it is definitely worth giving this tool a try.
How to use RannohDecryptor to decrypt CryptXXX Files
To use RannohDecryptor to decrypt compatible CryptXXX encrypted files, you need to download it from Kaspersky's site. Once it is downloaded, extract the ZIP file and double-click on the RannohDecryptor.exe executable. This will launch the main screen as shown below.
To check to see if your files can be decrypted, click on the Start scan button and you will be prompted to select an encrypted file.
Select an Encrypted File
Select an encrypted .crypt, .cryp1 or .crypz file and then press the Open button. RannohDecryptor will now ask you to select a ransom note.
Select a Ransom Note
At the above screen, click on the OK button and you will be prompted to select a ransom note. When CryptXXX infects a victim's computer it creates both a .txt and .html ransom note file in the same folder as encrypted files. When I tested RannohDecryptor against CryptXXX, I found that it did a better job retrieving your unique ID from the text files rather than the HTML Files. Therefore, I recommend you select the TXT ransom note.
Once you have selected the ransom note, the decryptor will check if it has a decryption key that can be used for your files. If it does not, it will state that it cannot decrypt your files. Otherwise, it will begin searching your computer for encrypted files to decrypt.
Scanning for Encrypted Files
This scan and decryption process can take quite a while, so please be patient. While it runs, you can click on the Report button to see the status of the decryption as shown below.
When the program has finished decrypting the computer, you can review the log and then close the program. Your files should now be decrypted and usable in your programs.