Good news for the victims of the CrySis ransomware, on Sunday the master decryption keys were released to the public. Security experts from Kaspersky Lab have already included the decryption keys in the Rakhni decryptor allowing victims of CrySis versions 2 and 3 to recover their files.
The decryption keys for the CrySis ransomware were posted online on the BleepingComputer.com forum by a user known as crss7777 who shared a link to a C header file containing the actual master decryption keys and information on how to utilize them.
“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” wrote Lawrence Abrams from BleepingComputer.
“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”
Lawrence Abrams speculates the user crss7777 could be a member of the development team.
“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” said Abrams.
“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”
The CrySis ransomware was first spotted in February by experts at Eset, the malware has infected systems mostly in Russia, Japan, South and North Korea, and Brazil.
The threat is spread via email attachments with double file extensions or via malicious links embedded in spam emails.
The CrySis ransomware appends the .xtbl extension to the encrypted files, the files are renamed following the following format [filename].id-[id].[email_address].xtbl.
Bleepingcomputer.com published detailed instructions to decrypt the files.
(Security Affairs – CrySis ransomware, cybercrime)