News

Kaspersky updates RannohDecryptor to decrypt CryptXXX's Crypt, Cryp1, and Crypz Extensions

December 21, 2016

If you are a CryptXXX Ransomware victim who didn't pay the ransom and instead decided to store their encrypted files and ransom notes for future fixes then you are in luck. Today, Kaspersky announced that they have updated their RannohDecryptor utility to decrypt CryptXXX encrypted files that have the .crypt, .cryp1, and .crypz extension.

We have been monitoring CryptXXX since it was released in April 2016 and it has become one of the most widely reported ransomware families in our forums. Kaspersky has seen this as well, with their customers having been attacked by CryptXXX at least 80,000 times since April 2016. According to a press release by Kaspersky, more than half were found in six countries: US, Russia, Germany, Japan, India and Canada.
attacks by country                                      CryptXXX Attacks by Country since April 2016

Though Kaspersky was able to retrieve many of the decryption keys for the CryptXXX ransomware, not all of them were recovered. This means that even if you have a supported variant of CryptXXX, there is no guarantee that the decryptor will be able to decrypt your files. If you are affected by the .crypt, .cryp1 and .crypz variants it is definitely worth giving this tool a try.

How to use RannohDecryptor to decrypt CryptXXX Files

To use RannohDecryptor to decrypt compatible CryptXXX encrypted files, you need to download it from Kaspersky's site. Once it is downloaded, extract the ZIP file and double-click on the RannohDecryptor.exe executable. This will launch the main screen as shown below.

rannohdecryptor                                                                                        RannohDecryptor Screen

To check to see if your files can be decrypted, click on the Start scan button and you will be prompted to select an encrypted file.

select encrypted file                                                                                          Select an Encrypted File

Select an encrypted .crypt, .cryp1 or .crypz file and then press the Open button. RannohDecryptor will now ask you to select a ransom note.

select ransom note                                                                                          Select a Ransom Note

At the above screen, click on the OK button and you will be prompted to select a ransom note. When CryptXXX infects a victim's computer it creates both a .txt and .html ransom note file in the same folder as encrypted files. When I tested RannohDecryptor against CryptXXX, I found that it did a better job retrieving your unique ID from the text files rather than the HTML Files. Therefore, I recommend you select the TXT ransom note.

Once you have selected the ransom note, the decryptor will check if it has a decryption key that can be used for your files. If it does not, it will state that it cannot decrypt your files. Otherwise, it will begin searching your computer for encrypted files to decrypt.

scanning for files                                                                                  Scanning for Encrypted Files

This scan and decryption process can take quite a while, so please be patient. While it runs, you can click on the Report button to see the status of the decryption as shown below.

decrypted files                                                                                  Decryption Report

When the program has finished decrypting the computer, you can review the log and then close the program. Your files should now be decrypted and usable in your programs.

News Courtesy : https://www.bleepingcomputer.com/news/security/kaspersky-updates-rannohdecryptor-to-decrypt-cryptxxxs-crypt-cryp1-and-crypz-extensions/