Back in May, the developers of a prevalent family of ransomware dubbed TeslaCrypt released its master decryption keys to the public, reducing its threat levels. This made way for newer flavours of ransomware to take over. One of these was the Crysis ransomware, which had recently been found to be targeting Australian and New Zealand businesses.
But Crysis has suffered the same fate as TeslaCrypt; its master decryption keys have been released unexpectedly. Here’s what you need to know.
The master decryption key was posted on a Crysis support forum page on Bleeping Computer. The post contained a Pastebin link to a header file written in C that contained the key along with detailed instructions on how to use them. It is suspected that the person who posted it is one of the developers of Crysis based on the level of knowledge he had on the decryption keys themselves.
According to Trend Micro‘s research team:
“Crysis is mainly distributed through spam emails, either with Trojanised attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.”
Kaspersky Lab has already incorporated the master decryption keys into its RakhniDecryptor that is used to decrypt Crisis encrypted files. If you’ve been hit by the Crysis ransomware and want to unlock your files, you can download the program here.