Crysis ransomware decryption keys posted online

Crysis ransomware no longer a crisis

The decryption keys for the Crysis ransomware have been posted online by an anonymous contributor - and security software company Kaspersky claims already to have incorporated the keys into its Rakhni decryptor package.

Organisations and individuals who have fallen victim to Crysis versions two and three can now recover their lost files.

The keys were posted overnight to the BleepingComputing.com forums by an anonymous user going by the handle "crss7777". The post included a link to a Pastebin, to a header file written in C containing the master decryption keys, together with instructions on how to use them.

It's not clear why the decryption keys were posted online, although it has been conjectured that the author of the ransomware himself posted the keys given the increased interest from law enforcement globally in cracking down on it.

"Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the Crysis ransomware," conjectured Lawrence Abrams, the creator and owner of BleepingComputer.com.

"Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them," he added. Kaspersky quickly ascertained that the decryption keys were legitimate, according to Abrams.

According to Trend Micro, the Crysis ransomware was first detected in February and had become widespread by the summer.

"Crysis slithers its way to a user's computer through emails containing attachments with double file extensions, which will make the malicious files appear as non-executable files. It also hitches a ride via spam emails with compromised URLs and websites," said Trend in an advisory. "The malware is also distributed to online locations and shared networks disguised as a harmless installer for various legitimate programs and applications, such as WinRAR, Microsoft Excel and iExplorer."

It continued: "Crysis is also capable of encrypting more than 185 file types on fixed and removable drives (ie USBs and external disks), as well as network shares, through a combination of RSA and AES encryption algorithms. To ensure infection, Crysis deletes the system's shadow copies, which serve as back-up copies of the computer's files or volumes.

"As a measure of persistence, the ransomware creates and enters new values to the Windows Registry. This enables the malware to run every time the user logs in to the system, which then makes it more difficult to remove. Encrypted data are appended with a ‘.crysis' extension in their file names."