.Crypt files – how to approach them?

credit card phishing - piles of credit cards with a fish hook onMaybe you’ve already come across some form of ransomware – a nasty kind of virus that encrypts your files and holds them ransom for profit. A sudden notification informs you about the lock-down of your data with a promise to unlock them again for the exchange of – what else? – money. You check your files and find out that they actually can’t be opened. An ominous „.crypt“ extension added to each of them. You’ve just become another victim of the CryptXXX ransomware – a very unfriendly Trojan that can encrypt files and steal bitcoin. SaferPass will tell you what ransomware is exactly and also how to counter it, should you ever find yourselves in this unlucky situation.

CryptXXX is a Trojan, that was discovered in April by researchers from Proofpoint. There wasn’t a name for the Trojan by the cyber-community at the time, so they dubbed it CryptXXX for the .crypt file extension that it leaves behind. It encrypts files after a certain time has passed since the infection itself, thus confusing potential victims and making it harder to successfully identify websites, that spread the virus.

As soon as it encrypts all the files it can get to, CryptXXX creates three „howtos“: A text file stored on the hard drive, an image which the virus sets up as the desktop background and a simple HTML site, which opens on cue in your browser. All three howtos contain the same simple information and instructions regarding the situation and a ransom demand of up to 500 USD in bitcoin for the unlocking of the files. A user must then install the TOR browser and get on an onion website on the Dark Web, where additional information regarding the payment can be found. There’s actually an FAQ section there as well – how convenient, right?

Besides the ransom, the goal of this virus is to steal all of the bitcoin a user might have on their computer and in some cases even certain information that could have value to the attacker. Unfortunately, in most cases of ransomware, there doesn’t seem to be a universal decryption solution and the victims are often left with the option to pay. Luckily, this particular one has already met its match – a tool for the restoration of encrypted data by Kaspersky Lab.

They took their own RannohDecryptor which was originally used for the decryption of the consequences the Rannoh ransomware left in its wake, modified it and added additional features. Today it can be used to help the victims of CryptXXX. For the decryption of your data, you need to have at least one file that wasn’t infected and encrypted by the virus. The more of these you have, the more of the encrypted ones you can save. You can download RannohDecryptor here: RannohDecryptor for unlocking encrypted files

After downloading and installing, open RannohDecryptor and choose the drives, that should be scanned. Do not check the „Delete all encrypted files after decryption“ option unless you are positive, that your decrypted files can be opened again.

Click on „Start scan“ and choose the location of the encrypted file for which you also have a non-encrypted copy. RannohDecryptor will try to decrypt the given file and all files that have a smaller size than the original non-encrypted one. The bigger the non-encrypted file you feed to RannohDecryptor, the more .crypt files you’ll be able to decrypt and save.

This tool works today, yet should not be depended on forever. Cyber-criminals create and use newer and newer tools and viruses every day, that’s why a proactive approach is more important. Create backups of your data on a regular basis and install critical safety updates for your operating systems and browsers. Anti-virus software, a password manager and a dose of common sense – these are the most powerful resources for securing your online identity and everything connected to it.

Screen Shot 2016-05-18 at 11.54.11