Kaspersky cracks CryptXXX, throws lifeline to ransomware victims

Kaspersky has announced it's decrypted yet another crypto-extortion racket.

Writing here, the company's John Snow says Kaspersky bods can now untangle data after a CryptXXX attack.

CryptXXX was described in mid-April by Proofpoint, which said it came from the authors of Reveton and was spreading thanks to its inclusion in the Angler exploit kit.

The group using CryptXXX were demanding US$500 per machine encrypted, which Proofpoint noted is at the high end of the extortion scale.

The ransomware encrypts files both on the victim's PC and on attached storage. Kaspersky notes there's a short delay applied to the external storage encryption “to confuse victims and make it harder to detect which websites spread the malware”.

The attackers also steal Bitcoins recorded on victims' hard drives, and copies other data back to base. Victims are told – via a Web page, an image dropped in as the user's desktop, and in a text file in case everything else fails – to download the Tor browser and navigate to an Onion site to get recovery instructions.

Although CryptXXX uses RSA4096, Snow writes it wasn' that hard to crack, and it's added decryption to its RannohDecryptor tool here. ®