Crypt38 ransomware had a short life, is already defeated

Jun 17, 2016 21:20 GMT  ·  By

A new ransomware family called Crypt38 uses a simple encryption routine that allowed Fortinet researchers to reverse-engineer the process and find a method of unlocking files.

Named Crypt38 because it appends the .crypt38 extension to all encrypted files, this ransomware's infection method is currently unknown.

What we know is that the ransomware seems to be targeting only Russian users at the moment, and based on the simplistic encryption routine and low ransom demand, it may be in the testing phase, and users might get to see a much more powerful version in the upcoming future.

Crypt38 ransomware only asks for $15

Right now, the ransomware only asks for 1,000 Rubles (~$15) and doesn't require users to access a decryption website. To unlock files, infected users only have to send an email to the ransomware's author, which will reply with payment details and decryption details.

Fortinet says that, during the infection process, the ransomware generates a 12-digit random number to identify each user.

It then takes this ID, runs it through a mathematical operation, appends "6551" at the end of the result and uses the final number as the encryption key.

Simple symmetric encryption process doomed the ransomware's chances of success

The problem is that the ransomware's author didn't use an asymmetric encryption, opting for a symmetric algorithm. This means the encryption key is also the decryption key.

Since Fortinet researchers managed to crack the encryption routine, they say that, by taking a look at each victim's ID number, they could compute the encryption/decryption key.

The good part is that, for each user, the ransomware shows the victim's ID on the screen, in the ransom note, which means all the details to decrypt user files are out in the open.

Since Fortinet hasn't provided a publicly available decrypter, at the moment, infected users should try to get in contact with the company in order to recover their files.

UPDATE: In just a few minutes after publication, Michael Gillespie created a free decryption key generator for Crypt38, which is available for download via Bleeping Computer. Users can enter their ID, and the keygen will spit out a decryption key. Before using the decryption key, users should back up their data first, in case the decryption process fails.

Crypt38 ransomware ransom note
Crypt38 ransomware ransom note

Photo Gallery (2 Images)

Crypt38 ransomware is decryptable
Crypt38 ransomware ransom note
Open gallery