March 09, 2017

Yesterday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable.

The current list of known extensions used by CryptON and that can be decrypted are:


Example ransom note screens are:

wallpaper                                                                     This email address is being protected from spambots. You need JavaScript enabled to view it._ Ransom Note

nemesis ransomnote2                                                  This email address is being protected from spambots. You need JavaScript enabled to view it. Variant Source: Emsisoft

For those who have been infected by the CryptON Ransomware and have files that are encrypted, you can use the guide below to decrypt the files for free. If you need help decrypting your files, feel free to ask in the CryptON Ransomware Help Topic.

How to Decrypt the CryptON Ransomware

Victims of the CryptON ransomware can be identified by their files being encrypted and renamed to the format of [filename].[id]_[unique_designator]. For example, a variant would have a file named test.jpg renamed and encrypted as This email address is being protected from spambots. You need JavaScript enabled to view it._. An example of a folder of encrypted files is seen below:
encrypted files                                                                                         Crypton Encrypted Files

To decrypt files encrypted by the Crypton ransomware, you need to first download the Crypton Decryptor below.

In order to decrypt your files, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_CryptON.exe icon at the same time. So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable. When trying to find a pair of files to use with the decryptor, you can use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder. Just look at the file sizes and pick an unencrypted sample picture and an encrypted sample picture that have the same size.

Once the key is discovered that was used to encrypt this pair of files, the same key can then be used to decrypt ALL other files on your computer.

To show what I mean about dragging both files at the same time, see the animated picture below. To create the key, I created a folder on my desktop called Decrypt and copied an encrypted JPG file, its unencrypted counterpart, and the CryptON decryptor into the folder. I then dragged both the regular JPG file and the encrypted one onto the decryptor at the same time.

crypton decryptor                                                                        How to drag the files onto the Decrypter

When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed. The decrypter will start to brute force the decryption key. This can take quiet a long time, so please be patient while the key is discovered.

brute forcing                                                                                              Caption

When a key was able to be brute forced, it will display it an a new window like the one below.

decryption key found                                                                                                 Decryption Key Found

To start decrypting your files with this key, please click on the OK button.  You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main Decrypter screen that displays a list of drives that will be decrypted. If there are any drive letters missing, please manually add them by clicking on the Add Folder button.

crypton decryptor                                                                                                CryptON Decryptor

Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin decrypting the CryptON encrypted files. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in a results screen like the one below.

decrypting                                                                                             Decrypting Files

When it has finished, the Results tab will state Finished! and all of your files should now be decrypted.

decryption finished                                                                                            Decryption Finished

Though your files are not decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal.If you need help using this decrypter, please ask in our CryptON Ransomware Help Topic.

Ransom Note Text:

News Courtesy :