{"id":13628,"date":"2016-12-20T04:00:48","date_gmt":"2016-12-20T09:00:48","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=13628"},"modified":"2019-11-15T06:51:08","modified_gmt":"2019-11-15T11:51:08","slug":"cryptxxx-v3-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cryptxxx-v3-ransomware\/13628\/","title":{"rendered":"Decrypting CryptXXX version 3 \u2014 for free"},"content":{"rendered":"<p>In April 2016 a young and ambitious trojan <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/cryptor\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">cryptor<\/a> known by the name CryptXXX was released. It was distributed by the infamous Angler and Neutrino <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/exploit-kit\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">exploit kits<\/a>. It\u2019s creators certainly hoped that after the release they could lay on the couch and watch the money flow from the victims pockets to their bitcoin wallets. But things did not go the way they had expected.<\/p>\n<p>A few days after the CryptXXX trojan was <a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">discovered<\/a>, experts from Kaspersky Lab found a mistake in CryptXXX file encryption algorithms and thus were able to <a href=\"https:\/\/www.kaspersky.com\/blog\/cryptxxx-ransomware\/11939\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">create a cure<\/a>. A free utility called Rannoh decryptor could be used to decrypt files, encrypted by CryptXXX.<\/p>\n<p>The criminals had to get up from their comfortable couch and start working to fix the bug. So they started distributing a new version, but it took our experts just a few days more to <a href=\"https:\/\/www.kaspersky.com\/blog\/cryptxxx-decryption-20\/12091\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">invent a cure for the second version of CryptXXX<\/a>. Rannoh decryptor was updated \u2014 and the Trojan\u2019s victims could once again decrypt their files without paying ransom.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/CryptXXX?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CryptXXX<\/a> v2 can now be decrypted with our decryptor <a href=\"https:\/\/twitter.com\/hashtag\/noransom?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#noransom<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/t.co\/XJZGaQK0E7\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/XJZGaQK0E7<\/a> <a href=\"https:\/\/t.co\/3D1SmdiCeM\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/3D1SmdiCeM<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/731153321323601920?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 13, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>With their latest versions thwarted, the criminals abandoned relaxation and created a third version of their ransomware, hoping that nobody would be able to find a way to make a decryptor.<\/p>\n<p>They almost succeeded. For a rather long period of time CryptXXX v.3 was able to terrorize people all over the globe, encrypt their files and demand ransom to bring them back. It was also <a href=\"https:\/\/threatpost.com\/updated-cryptxxx-ransomware-big-money-potential\/118464\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">capable of stealing credentials<\/a> from different applications.<\/p>\n<p>The distribution of the new version started in May, and our experts estimate that there may be several hundred thousand infected users. Kaspersky Lab\u2019s products alone detected and prevented about 80,000 attempts to infect computers with CryptXXX v.3. Almost a quarter of all attacks were targeting users from USA, with Russia, Germany, Japan, India and Canada combining for another 28% of infection attempts.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/12\/06015702\/cryptxxx-demand-message-1-1-1024x747.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-10595\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/12\/06015702\/cryptxxx-demand-message-1-1-1024x747.png\" alt=\"Kaspersky Lab offers to decrypt files encrypted by CryptXXX v.3\" width=\"1251\" height=\"912\"><\/a><\/p>\n<div id=\"attachment_10594\" style=\"width: 1261px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/12\/06015701\/cryptxxx-demand-message-2-1-1024x662.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-10594\" class=\"size-full wp-image-10594\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/12\/06015701\/cryptxxx-demand-message-2-1-1024x662.png\" alt=\"Rannoh Decryptor free utility is now capable of decrypting .crypt and .crypz files created by CryptXXX v.3 ransomware.\" width=\"1251\" height=\"809\"><\/a><p id=\"caption-attachment-10594\" class=\"wp-caption-text\">The ransom demand message varies depending on the version of the CryptXXX trojan, but usually it similar to these examples<\/p><\/div>\n<p>But nothing lasts forever. Today we\u2019re happy to announce that our researchers have managed to find a cure for the third version of CryptXXX trojan, so the .cryp1, .crypt and .crypz files can be decrypted once again. We\u2019ve added the decryption to the Rannoh Decryptor utility, which you can find either at <a href=\"https:\/\/support.kaspersky.com\/viruses\/disinfection\/8547#block1\" target=\"_blank\" rel=\"noopener noreferrer\">our website<\/a> or at <a href=\"https:\/\/www.nomoreransom.org\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">NoMoreRansom.org<\/a>.<\/p>\n<p>If you were hit by CryptXXX \u2014 visit one of the aforementioned websites, download the utility and get your files back. Our utilities are free, and can help you recover files encrypted by most versions of the trojan, so you would save a nice sum by not paying the ransom to the criminals.<\/p>\n<p><em>\u201cOur regular advice to the victims of different ransomware families is the following: even if there is currently no decryption tool available for the version of malware that encrypted your files, please <a href=\"https:\/\/www.kaspersky.com\/blog\/no-no-ransom\/13364\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">don\u2019t pay the ransom<\/a> to criminals. Save the corrupt files and be patient \u2014 the probability of a decryption tool emerging in the near future is high. We consider the case of CryptXXX v.3 as proof of this advice. Multiple security specialists around the world are continuously working hard to be able to help victims of ransomware. Sooner or later the solution to the vast majority of ransomware will be found,\u201d<\/em> \u2014 said Anton Ivanov, security expert at Kaspersky Lab.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-ransomware\">\n<p>Our other advice is to think proactively and protect yourself in advance. It\u2019s much more convenient not to get your files corrupted in the first place. To do this, follow these two simple steps:<\/p>\n<p>1. Back up your data regularly on a detachable media that is not kept connected to your computer all the time.<\/p>\n<p>2. Install a good security solution. By the way, recent independent studies showed that Kaspersky Internet Security is <a href=\"https:\/\/www.kaspersky.com\/blog\/effitas-certification\/13213\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">extremely good against ransomware<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab experts create a cure for CryptXXX. For the third time.<\/p>\n","protected":false},"author":696,"featured_media":13629,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[1577,1733,352,36,420],"class_list":{"0":"post-13628","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-cryptxxx","10":"tag-decryptors","11":"tag-kaspersky-lab","12":"tag-malware-2","13":"tag-ransomware"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cryptxxx-v3-ransomware\/13628\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cryptxxx-v3-ransomware\/5769\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cryptxxx-v3-ransomware\/10593\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cryptxxx-v3-ransomware\/8168\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cryptxxx-v3-ransomware\/8724\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cryptxxx-v3-ransomware\/9768\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cryptxxx-v3-ransomware\/9521\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cryptxxx-v3-ransomware\/13804\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cryptxxx-v3-ransomware\/2791\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cryptxxx-v3-ransomware\/6435\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cryptxxx-v3-ransomware\/6805\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/cryptxxx-v3-ransomware\/5855\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cryptxxx-v3-ransomware\/9419\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/cryptxxx-v3-ransomware\/13488\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cryptxxx-v3-ransomware\/13804\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cryptxxx-v3-ransomware\/13628\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cryptxxx-v3-ransomware\/13628\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/ransomware\/","name":"Ransomware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=13628"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13628\/revisions"}],"predecessor-version":[{"id":30078,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13628\/revisions\/30078"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13629"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=13628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=13628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=13628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}