14 DAY TRIAL // The war against ransomware can claim another won battle as a new decrypter has been released for free by Emsisoft. This time, the decrypter works on the Cry128 strain from the CryptON ransomware family.
Strains from the CryptON ransomware, such as the X3M and Nemesis, started popping up here and there back in December of last year. Security Researchers claim they are all put together using the same builder, which is the software application which automates the process of customizing a malware executable. The Cry128 strain that can now be decrypted with this free tool began appearing on April 22, 2017, so it's rather fresh.
How does Cry128 work?
Emsisoft researchers state that the CryptON ransomware family generally infects systems via remote desktop service brute force attacks, which allow them to log into the victim's server and execute the ransomware.
"Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. Since Cry128 does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\Windows, C:\Program Files and the user profile folder from the encryption operation, so that boot operation and other critical processes are not impacted," the company mentions.
The Cry128 strain relies on a modified AES version working on 128 byte locks and with 1024 bit keys in ECB mode. Once the malware encrypts a file, the file appears to be 16 bytes larger than the original.
The Cry128 ransomware uses a payment portal that's hosted on TOR and tor2web links.
If you've fallen victim to this ransomware, don't despair and don't pay the fees requested from you. The decrypter is available for free download from Emsisoft's site, although we do advise people to go through the removal guide first.