Victims of the infamous CryptXXX v.3 ransomware are now able to unlock their encrypted files as security researchers have released a free decryption tool for the threat.
The decryptor is included in a free application shared by the No Ransom Project, called the RannohDecryptor utility. The tool has successfully managed to unlock files encrypted by CryptXXX version 2 but, until now, it was not able to decrypt files targeted by version 3.
CryptXXX was first noticed in April and it is known as one of the ransomware pieces with the highest number of victims around the globe. It has been mostly targeting American users but Germany, Japan, and Russia are also among the top-targeted countries. According to experts, the ransomware has given cybercriminals the opportunity to make huge profits.
Security researchers stated that the ransomware was being distributed via Exploit Kits (EKs) like Neutrino, Magnitude, and Angles EKs. Ever since its appearance on the ransomware stage CryptXXX was been rapidly evolving, noted the SentinelOne security firm.
In June, the ransomware developers managed to fix the security flaws which allowed decryption of files without paying the ransom. One month earlier, in May, Kaspersky Lab researchers had updated their decryptor (RannohDecryptor 220.127.116.11) to be able to unlock files targeted by the second version of CryptXXX.
The Kaspersky experts were able to find and exploit vulnerabilities in the CryptXXX`s code and unlock files every time the ransomware`s authors released a new version. They found that the ransomware is leveraging on a DLL written in Delphi and that it relies on several encryption algorithms to lock the files.
CryptXXX v.3 appends the .crypt, .cryp1 and .crypz extensions at the end of encrypted data. The ransomware`s latest version also includes a stiller.dll module which is able to steal victims` account credentials.
“After the files are encrypted and all the valuable data is transferred to the criminals, the Trojan displays a message to the victim demanding a ransom.” – Kaspersky Lab researchers said.
If you have been attacked by the notorious CryptXXX, check the list decryption tools which are available at the No Ransom page.