Now's your chance to recover files locked by CryptXXX

Jul 14, 2016 21:05 GMT  ·  By

If you are one of the people who had their data locked by the CryptXXX ransomware, you might be lucky enough to recover your files for free.

Earlier today, users visiting the TOR-based payment sites of the CryptXXX ransomware discovered that, after logging in with their ID, instead of receiving decryption instructions, they got the actual decryption key, for free, without doing anything.

This didn't happen for all users, but only for CryptXXX ransomware variants that encrypt files using the .crypz and .cryp1 file extensions at the end.

Glitch or intentional?

In May, the crooks behind the TeslaCrypt ransomware decided to close shop and provided a master key to recover the files of all infected users. CryptXXX does not use a master key, but private keys differ for each victim, so there's no universal magic key that can unlock everyone's files in one go.

It is currently unknown if the leakage of these keys was done intentionally by CryptXXX's authors or is a server glitch.

Our bet is with the second option since CryptXXX was plagued by several encryption routine problems that allowed Kaspersky experts to create decrypters for older versions of the ransomware.

After a quick test trough all the CryptXXX versions, Lawrence Abrams from Bleeping Computer was able to summarize what categories of users would get a free key, at the moment, and who would not.

Keys being offered for free

.Crypz Extension (UltraDecryptor)

Ransom Note Name: ![victim_id].html
Ransom Note Name: ![victim_id].txt
Example TOR Url: http://xqraoaoaph4d545r.onion.to
Example TOR Url: http://xqraoaoaph4d545r.onion.cab
Example TOR Url: http://xqraoaoaph4d545r.onion.city
.Cryp1 Extension (UltraDecryptor) Ransom Note Name: ![victim_id].html
Ransom Note Name: ![victim_id].html
Example TOR Url: http://eqyo4fbr5okzaysm.onion.to
Example TOR Url: http://eqyo4fbr5okzaysm.onion.cab
Example TOR Url: http://eqyo4fbr5okzaysm.onion.city

Keys NOT being offered for free

.Crypt Extension (UltraDeCrypter)

Ransom Note Name: [victim_id].html
Ransom Note Name: [victim_id].txt
Example TOR Url: http://klgpco2v6jzpca4z.onion.to
Example TOR Url: http://klgpco2v6jzpca4z.onion.cab
Example TOR Url: http://klgpco2v6jzpca4z.onion.city
.Crypt Extension (Google Decryptor) Ransom Note name: !Recovery_[victim_id].html
Ransom Note name: !Recovery_[victim_id].txt
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.to
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.cab
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.city
Random Extension (UltraDecryptor) Ransom Note Name: @[victim_id].html
Ransom Note Name: @[victim_id].txt
Example TOR Url: 2mpsasnbq5lwi37r.onion.to
Example TOR Url: 2mpsasnbq5lwi37r.onion.cab
Example TOR Url: 2mpsasnbq5lwi37r.onion.city
No extension (Microsoft Decryptor) Ransom Note Name: README.html
Ransom Note Name: README.txt
Example TOR Url: http://ccjlwb22w6c22p2k.onion.to
Example TOR Url: http://ccjlwb22w6c22p2k.onion.city
Users who need help with the decryption routine can visit the Bleeping Computer forum thread where users first spotted this "freebie."

Photo Gallery (2 Images)

Free CryptXXX decryption keys available online
User receiving a CryptXXX decryption key
Open gallery