April 27, 2016

CryptXXX has been decrypted: Kaspersky Lab releases a new tool to free encrypted files

As part of Kaspersky Lab’s ongoing commitment to protect users from the latest ransomware, Fedor Sinitsyn, Senior Malware Analyst at the company, has developed a decryption tool to help victims of CryptXXX restore encrypted files

As part of Kaspersky Lab’s ongoing commitment to protect users from the latest ransomware, Fedor Sinitsyn, Senior Malware Analyst at the company, has developed a decryption tool to help victims of CryptXXX restore encrypted files. The particularly malicious CryptXXX ransomware targets Windows devices in order to lock files, copy data and steal bitcoins. 

The CryptXXX ransomware is distributed to Internet users via spam emails, which contain infected attachments or links to malicious websites. Web pages hosting an Angler Exploit Kit are distributing CryptXXX. Upon execution, the ransomware encrypts the infected system’s files and appends a .crypt extension to the filename. Victims are informed that their files are encrypted with the help of RSA-4096 — a stronger encryption algorithm — and a ransom in bitcoins is then demanded if victims wish to release their data.

With more than 50 families of ransomware currently in the wild, there is no single universal algorithm to counter the threat or impact of attacks. However, in the case of CryptXXX the criminals’ claims about RSA-4096 turned out to be just a boast, and Kaspersky Lab was able to develop a decryption tool which is now available for downloading.

Because of the Kaspersky Lab expert’s work, victims can be assured that if CryptXXX ransomware has found its way into their systems, it is still possible to recover files without footing the ransom. In order to decrypt the affected files, the Kaspersky Lab utility will need the original (not encrypted it can be found on portable drive or cloud space) version of at least one file, which has suffered from CryptXXX.

Users of Kaspersky Lab solutions are further protected because the Angler Exploit Kit used by the CryptXXX ransomware is detected in the early stages of infection by the Automatic Exploit Prevention technology in Kaspersky Lab solutions.

Kaspersky Lab products detect this exploit kit under the following verdicts: HEUR:Exploit.SWF.Agent.gen, PDM:Exploit.Win32.Generic, HEUR:Exploit.Script.Generic.

To protect themselves from infection users should do the following:

  1. Backup regularly.
  1. Install all critical updates for your OS and browsers. The Angler Exploit Kit, which is used by CryptXXX, leverages software vulnerabilities to download and install the ransomware.
  1. Install a security solution. Kaspersky Internet Security provides a multi-layered protection from ransomware. Kaspersky Total Security can complement the all-round protection, providing automatic backups.

Further information on CryptXXX can be found on Kaspersky Daily.

 

Articles related to Virus News