{"id":5502,"date":"2016-04-26T16:58:02","date_gmt":"2016-04-26T16:58:02","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5502"},"modified":"2020-02-26T19:00:34","modified_gmt":"2020-02-26T17:00:34","slug":"de-cryptxxx","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/de-cryptxxx\/5502\/","title":{"rendered":"How to beat CryptXXX ransomware"},"content":{"rendered":"<p>At\u00a0the end of March\u00a0a previously undocumented ransomware strain started making rounds; <a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler\" target=\"_blank\" rel=\"noopener nofollow\">experts\u00a0codenamed it<\/a>\u00a0CryptXXX. It has little to do with \u201cadult\u201d themes, although the ransom it demands is really \u201cgrown-up\u201d \u2013 Bitcoins worth $500. It claims to be using\u00a0a strong encryption algorithm, but Kaspersky Lab has already <a href=\"https:\/\/www.kaspersky.com\/about\/news\/virus\/2016\/CryptXXX-has-been-decrypted-Kaspersky-Lab-releases-a-new-tool-to-free-encrypted-files\" target=\"_blank\" rel=\"noopener nofollow\">fixed up the cure<\/a>.<\/p>\n<p><strong>Greedy<\/strong><\/p>\n<p>CryptXXX is being pushed via the notorious Angler exploit kit. It adds .crypt extension to all encrypted files, which makes it instantly recognizable, and drops three files \u2013 de_crypt_readme.bmp (an image file), de_crypt_readme.txt and de_crypt_readme.html. These files display typically intimidating messages of the \u201call-your-files-belong-to-us\u201d kind and instructions for contacting the criminals and paying ransom. Victims are notified that the encryption algorithm used is RSA4096 (a strong one), so abandon any hope and pay up.\u00a0Victims are even given their personal IDs and provided with links where they can acquire Bitcoin if they have no any.<\/p>\n<p>The encryption process itself doesn\u2019t start instantly; ransomware \u201cgets to work\u201d in a couple of hours or so after the initial infection, so that users wouldn\u2019t find out which site \u201cserved\u201d the cryptor. Also worth mentioning that CryptXXX not just encrypts the files but also steals bitcoins kept on victims\u2019 hard drives and copies other data, which can be useful for the greedy guys that cybercriminals are.<\/p>\n<p>Not just greedy but overly boastful too: it appeared that the vaunted RSA4096 algorithm just isn\u2019t there. At our side we have prepared a decryption tool: the <a href=\"https:\/\/support.kaspersky.com\/viruses\/disinfection\/8547\" target=\"_blank\" rel=\"noopener\">RannohDecryptor<\/a> utility which was initially created to decrypt files affected by Rannoh ransomware, can be used to crack CryptXXX too.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Alert?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Alert<\/a> We've got a <a href=\"https:\/\/twitter.com\/hashtag\/decryptor?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#decryptor<\/a> for those infected with <a href=\"https:\/\/twitter.com\/hashtag\/CryptXXX?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CryptXXX<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/t.co\/MTtTKQom79\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/MTtTKQom79<\/a> <a href=\"https:\/\/t.co\/N56Wof2BZY\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/N56Wof2BZY<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/724652181580853249?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 25, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>Saving it<\/strong><br>\nTo recover the files at least one original (not encrypted) file is required. If you have more files like this backed up, this will work.<\/p>\n<p>Then you need to do the following:<\/p>\n<ol>\n<ol>\n<li><a href=\"http:\/\/media.kaspersky.com\/utilities\/VirusUtilities\/RU\/rannohdecryptor.exe\" target=\"_blank\" rel=\"noopener nofollow\">Download <\/a>the tool and launch it.<\/li>\n<\/ol>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5503\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2016\/04\/06022359\/cryptxxx-screenshot-1.png\" alt=\"cryptxxx-screenshot-1\" width=\"489\" height=\"444\"><\/p>\n<ol>\n<li>Open Settings and choose drive types (removable, network or hard drive) for scanning. Don\u2019t check the \u201cDelete crypted files after decryption\u201d option until you are 100% that decrypted files open properly.<\/li>\n<li>Click the \u201cStart scan\u201d link and choose where the encrypted .crypt file lies (that file, for which you have an unencrypted copy as well).<br>\nThen the tool will ask for the original file.<\/li>\n<li>After that RannohDecryptor starts searching for all other files with \u201c.crypt\u201d extension and tries to decrypt all files, which weigh less than your original. The bigger file you\u2019ve feed to the utility \u2014 the more files would be decrypted.<\/li>\n<\/ol>\n<p>Users of Kaspersky Lab solutions are further protected because the Angler Exploit Kit used by the CryptXXX ransomware is detected in the early stages of infection by the <a href=\"http:\/\/support.kaspersky.com\/11237#block1\" target=\"_blank\" rel=\"noopener\">Automatic Exploit Prevention<\/a> technology in Kaspersky Lab solutions.<\/p>\n<p><strong>Businesses are threatened as well<\/strong><\/p>\n<p>Ransomware is mostly the end-user\u2019s problem. However, businesses get hit\u00a0too, and hit hard. Especially smaller companies where every employee is an \u201cadmin on its own\u201d, as the external expert isn\u2019t yet affordable. A\u00a0successful ransomware attack can drive an entire company out of business.<\/p>\n<p>Besides, there is a new threat looming: server-side ransomware has been already identified (see our <a href=\"https:\/\/business.kaspersky.com\/jboss-flaw\/5495\/\" target=\"_blank\" rel=\"noopener nofollow\">yesterday post<\/a>), with a large number of entities\u00a0becoming victims already.<\/p>\n<p>Some strains of ransomware can be decrypted; but where CryptXXX and<a href=\"https:\/\/business.kaspersky.com\/ransomfails\/5470\/\" target=\"_blank\" rel=\"noopener nofollow\"> some others fail<\/a>, the likes of more advanced and dangerous Teslacrypt prevail, and you never know what you would be\u00a0dealing with tomorrow. The proper approach here is prevention, not remediation.<\/p>\n<p>Following rules are most basic, but also most efficient:<\/p>\n<ul>\n<li>Regularly make backups.<\/li>\n<li>Don\u2019t hesitate installing all critical updates for your OS and browsers. Angler and other exploit kits used to deliver cryptors, leverage software vulnerabilities to download and install the ransomware.<\/li>\n<li>Install a proper security solution. Kaspersky Lab offers a number of solutions tailored for <a href=\"https:\/\/www.kaspersky.com\/business-security\" target=\"_blank\" rel=\"noopener nofollow\">businesses<\/a> of <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\" target=\"_blank\" rel=\"noopener nofollow\">all sizes<\/a>, providing a necessary multilayered protection from known and unknown threats.<\/li>\n<\/ul>\n<p>Also we\u2019d like to recommend the <a href=\"http:\/\/www.csmonitor.com\/World\/Passcode\/Passcode-Voices\/2016\/0420\/How-to-avoid-becoming-the-next-victim-of-ransomware\" target=\"_blank\" rel=\"noopener nofollow\">new column<\/a> by the head of the global research and analysis team Kaspersky Lab USA Ryan Narain about how to\u00a0avoid falling victim to ransomware.<\/p>\n<p>We also would like to offer our Practical Guide \u201cCould Your Business Survive A Cryptor\u201d. In order to acquire your copy of the practical guide, kindly fill out the form below.<\/p>\n\n","protected":false},"excerpt":{"rendered":"<p>Ransomware is mostly the end-user problem. However, businesses get hit too, and hit hard, especially the smaller ones.<\/p>\n","protected":false},"author":209,"featured_media":15408,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[1062,420],"class_list":{"0":"post-5502","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-decryption-tool","10":"tag-ransomware"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/de-cryptxxx\/5502\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/de-cryptxxx\/15039\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/de-cryptxxx\/5502\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/de-cryptxxx\/5502\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/decryption-tool\/","name":"decryption tool"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/5502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=5502"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/5502\/revisions"}],"predecessor-version":[{"id":26701,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/5502\/revisions\/26701"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15408"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=5502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=5502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=5502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}