Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the CryptON ransomware family, allowing those that have been infected to free their encrypted files without having to pay a ransom.
Variants of the Russian-originated CryptON ransomware, such as X3M and Nemesis, started to appear on the Bleeping Computer forums from December 2016. All of them seem to be put together using the same “builder”, a term that describes a software application which automates the process of customizing a malware executable.
How the CryptON ransomware works
So far, it appears that all criminals using the CryptON ransomware are infecting systems via RDP (remote desktop services) brute force attacks, which allows them to log into the victim’s server and execute the ransomware.
Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted.
Since CryptON does not contain an extension list, it will encrypt all file types on the machine. It does however exclude C:Windows, C:Program Files and the user profile folder from the encryption operation, so that boot operation and other critical processes are not impacted.
For the encryption process, CryptON ransomware relies on AES-256 in CBC mode to lock the victim’s files and derives a key via SHA-256.
Once the files are locked, the malware will append one of the following extensions that are known to the Emsisoft team at the time of writing:
.id-<id>_locked .id-<id>_locked_by_krec .id-<id>_locked_by_perfect .id-<id>_x3m .id-<id>_r9oj .id-<id>[email protected] .id-<id>[email protected]_ .id-<id>[email protected]_ .id-<id>[email protected]_ .id-<id>[email protected]_ .id-<id>_maria[email protected]_
Based on the team’s analysis, all files appear to be 16 bytes larger than the original file once the encryption process is completed.
How CryptON ransomware victims are supposed to pay
Contrary to some of the more sophisticated ransomware strains we have seen recently, CryptON does not seem to have a payment portal that victims are directed to. Instead, victims are expected to contact the ransomware developer via email provided in the ransom note.
How to decrypt CryptON encrypted files using the Emsisoft decrypter
As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts.
For infected users that have verified the ransomware type are just looking for the decrypter, you can download it for free on Emsisoft’s decrypter site.