Last Sunday, a user known as crss777 published the CrySis ransomware decryption keys online.
The victims of CrySis ransomware received some good news this weekend. The master decryption keys of the dangerous ransomware were posted on Internet. The Kaspersky Lab security researchers have already included the decryption keys in the Rakhni decryptor, giving the opportunity to the victims of CrySis versions 2 and 3 to recover their files.
The CrySis ransomware decryption keys were posted on the website of a computer forum by a user known as crss7777. The aforementioned user shared a link to a C header file containing the actual master decryption keys, as well as some information on how to utilize them.
“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the computer forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” a security researcher wrote.
“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”
According to the security expert, the user crss7777 could be a member of the development team.
“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” the researcher stated.
“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”
Security experts at Eset noticed the CrySis ransomware in February, when the malware infected many systems in Russia, Japan, South and North Korea, and Brazil.
Usually, the infection is distributed via email attachments with double file extensions, or via malicious links embedded in spam emails.
The CrySis ransomware appends the .xtbl extension to the encrypted files and they are renamed in the following format [filename].id-[id].[email_address].xtbl.