In case you are one of the numerous victims of CryptXXX ransomware, you might get a chance to recover your files for free.
Yesterday, users who visited the Tor-based payment wesites of the CryptXXX ransomware found that, after logging in with their IDs, instead of receiving decryption instructions, they got the actual decryption key, free of charge, without doing anything at all.
It was something that didn’t happen to all users, but only for CryptXXX ransomware variants which encrypt files using the .crypz and .cryp1 file extensions at the end.
In May, this year, the developers of TeslaCrypt ransomware took a decision to close their shop, offering a master key to recover the files of all infected users.
CryptXXX ransomware doesn’t use a master key, however, private keys are different for each victim, thus there’s no universal key for unlocking everyone’s files altogether.
Currently, there is no information if the leakage of these keys was done intentionally by CryptXXX’s authors, or it’s a server glitch.
Nevertheless, researchers think that it’s more likely the second option, since CryptXXX was plagued by several encryption routine problems which allowed Kaspersky experts to create decrypters for older versions of the ransomware.
By conducting a quick test trough all the CryptXXX versions, the expert Lawrence Abrams was able to summarize the categories of users who would get a free key and who would not. The keys being offered for free are listed bellow.
.Crypz Extension (UltraDecryptor)
Ransom Note Name: ![victim_id].html
Ransom Note Name: ![victim_id].txt
Example TOR Url: http://xqraoaoaph4d545r.onion.to
Example TOR Url: http://xqraoaoaph4d545r.onion.cab
Example TOR Url: http://xqraoaoaph4d545r.onion.city
.Cryp1 Extension (UltraDecryptor)
Ransom Note Name: ![victim_id].html
Ransom Note Name: ![victim_id].html
Example TOR Url: http://eqyo4fbr5okzaysm.onion.to
Example TOR Url: http://eqyo4fbr5okzaysm.onion.cab
Example TOR Url: http://eqyo4fbr5okzaysm.onion.city Keys NOT being offered for free
.Crypt Extension (UltraDeCrypter)
Ransom Note Name: [victim_id].html
Ransom Note Name: [victim_id].txt
Example TOR Url: http://klgpco2v6jzpca4z.onion.to
Example TOR Url: http://klgpco2v6jzpca4z.onion.cab
Example TOR Url: http://klgpco2v6jzpca4z.onion.city
.Crypt Extension (Google Decryptor)
Ransom Note name: !Recovery_[victim_id].html
Ransom Note name: !Recovery_[victim_id].txt
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.to
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.cab
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.city
Random Extension (UltraDecryptor)
Ransom Note Name: @[victim_id].html
Ransom Note Name: @[victim_id].txt
Example TOR Url: 2mpsasnbq5lwi37r.onion.to
Example TOR Url: 2mpsasnbq5lwi37r.onion.cab
Example TOR Url: 2mpsasnbq5lwi37r.onion.city
No extension (Microsoft Decryptor)
Ransom Note Name: README.html
Ransom Note Name: README.txt
Example TOR Url: http://ccjlwb22w6c22p2k.onion.to
Example TOR Url: http://ccjlwb22w6c22p2k.onion.city
