The threat posed by a ransomware family known as CrySis was diminished considerably on Sunday when the master decryption keys were released to the public.
Researchers at Kaspersky Lab said they have already folded the keys into the company’s Rakhni decryptor and victims of CrySis versions 2 and 3 now have a means of recovering their lost files.
The key was posted at 1 a.m. Eastern time to the BleepingComputer.com forums by a user known only as crss7777, said founder Lawrence Abrams.
Abrams speculates that it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them.
“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” Abrams said.
“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”
CrySis surfaced in February after a report by researchers at Eset said the ransomware was quickly gaining favor from hackers after the decryption of TeslaCrypt ransomware.
CrySis spread via email attachments with double file extensions or through links in spam messages.
It was also found lurking in Trojanized versions of freely available software such as compression programs like WinRAR.
Like most ransomware, it could encrypt a large number of file types and sought to encrypt data stored on shared drives.
Documents encrypted by CrySis have their filenames changed to include a .xtbl extension and an email address, similar to [filename].id-[id].[email_address].xtbl, BleepingComputer said.
Kaspersky researchers said CrySis accounted for 1.15 percent of ransomware infections this year, with most of the victims found in Russia, Japan, South and North Korea, and Brazil.
A number of virulent ransomware families have been extinguished this year, including CryptXXX, TeslaCrypt, Chimera, Jigsaw and others.
Source:
https://threatpost.com/crysis-ransomware-master-decryption-keys-released/121942/
