Emsisoft releases free decrypter for CryptON ransomware

Emsisoft releases free decrypter for CryptON ransomware

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the CryptON ransomware family, allowing those that have been infected to free their encrypted files without having to pay a ransom.

Variants of the Russian-originated CryptON ransomware, such as X3M and Nemesis, started to appear on the Bleeping Computer forums from December 2016. All of them seem to be put together using the same “builder”, a term that describes a software application which automates the process of customizing a malware executable.

How the CryptON ransomware works

So far, it appears that all criminals using the CryptON ransomware are infecting systems via RDP (remote desktop services) brute force attacks, which allows them to log into the victim’s server and execute the ransomware.

Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted.

Since CryptON does not contain an extension list, it will encrypt all file types on the machine. It does however exclude C:\Windows, C:\Program Files and the user profile folder from the encryption operation, so that boot operation and other critical processes are not impacted.

For the encryption process, CryptON ransomware relies on AES-256 in CBC mode to lock the victim’s files and derives a key via SHA-256.

Once the files are locked, the malware will append one of the following extensions that are known to the Emsisoft team at the time of writing:

.id-<id>_locked
.id-<id>_locked_by_krec
.id-<id>_locked_by_perfect
.id-<id>_x3m
.id-<id>_r9oj
.id-<id>[email protected]
.id-<id>[email protected]_
.id-<id>[email protected]_
.id-<id>[email protected]_
.id-<id>[email protected]_
.id-<id>[email protected]_

Based on the team’s analysis, all files appear to be 16 bytes larger than the original file once the encryption process is completed.

How CryptON ransomware victims are supposed to pay

Contrary to some of the more sophisticated ransomware strains we have seen recently, CryptON does not seem to have a payment portal that victims are directed to. Instead, victims are expected to contact the ransomware developer via email provided in the ransom note.

How to decrypt CryptON encrypted files using the Emsisoft decrypter

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts.

For infected users that have verified the ransomware type are just looking for the decrypter, you can download it for free on Emsisoft’s decrypter site.

 

  • Sam G

    Hi! In your experience, after a successful ransomware infection and cleanup, is it possible for the ransomware to leave any kind of backdoor?

    As a follow-up, is it possible to leave any sort of backdoor on the PC after using your decryption software? How about after a full restore from backup? How about after paying the ransom instead?

    • Hi Sam. Thanks for the questions. To address your last question first: we do not recommend paying the ransom not only because it supports the business of creating ransomware, but also because victims have no guarantee that their files will be decrypted correctly or decrypted at all.

      Our decrypter tools only decrypt the encrypted files; it has nothing to do with the initial infection that occurred in the first place. So while the majority of ransomware only encrypt your files, there are no guarantees that it hasn’t changed other processes as part of the infection.

      This is why our advice is to invest in proper prevention so you don’t get infected in the first place. For businesses, this includes proper IT procedures and policies to ensure robust server protection, and high quality endpoint protection such as Emsisoft Anti-Malware to alert users before an infected file or document can be executed.

  • Mac

    Are you aware of a new version of this virus?

    We have been infected with a ransomware that creates the extension .ID followed by (10 numbers) the (10 numbers) are your ‘Customer ID number that is given in the ‘HOW TO DECRYPT FILES.html’ ransom note.

    I have searched the internet and can find no trace of this extension or wording of the ransom file.

    It also had an e-mail address of [email protected]. Google gave no responses, so I presume this is a new incarnation.

    Please be advised that after uploading this to various sites for identification, I am getting different feedback. One site has suggested that this requires your CRYPTON to decrypt and it does nothing. Another site said it was the cerber version 5.1 of which there is no decryption available.

    Very frustrated and confused. Interestingly i have corresponded with the ‘person’ at the end of the e-mail and was provided with a human response, so he is live right now! He was not interested in any negotiation and just wanted 2000$ to release my data!

    I have his bitcoin wallet number and have reported it to the police, but thought we had better let you guys know. Is it just me or do I get the distinct impression that these ransomware virus’ are now being sold on the under web with ‘Templates’ that allow the purchaser to simply setup a fake e-mail address, adjust the ransom note and spam out some infected e-mail and they are in business??

    We really need to catch these guys, they are basically terrorists and fraudsters all rolled into one.

  • yan sieng ng

    i have the same symptom descript in this blog post, but the file extension are different, can some one help?

    this is the file extension
    .id-353xxxxxxx_[[email protected]].xj5v2

  • Nicola

    Hi everybody, I’ve my pc infected by a ransomware just two days ago. unfortunately it was my girlfriend to power on the pc after the infection so I couldnt see what first appear as warning windows.
    However, Im sure im infected since on my desktop I have some .txt files named “your files are locked” and they report the instructions to pay through usual bitcon (0,75).
    All encrypted files has remained with original extension, I found a ntwsys.exe in AppData->Roaming->Microsoft and two txt files listing all files involved in the encryption.
    I searched back to the history of last download and Im prettry sure I’ve isolated the .exe files that let the ransomware virus spread: nobody execute that EXE but just downloaded!

    I found on the web that I might got the latest version of PClock….so no solution at this time seems.

    I have also some original copies of now-cripted files, does anybody know if there is some chance to understand which encryption key it has been used using both encrypted files and the EXE file?