Crysis Averted: Eset Releases Free Ransomware Decryptor

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Victims of the Crysis ransomware now have a get out of jail free card after security vendor Eset announced a free decryptor tool.

Crysis first broke onto the scene in June after competitor TeslaCrypt apparently ceased operations and tens of thousands of users began downloading the free decryptor for it.

Detected as Win32/Filecoder.Crysis, the ransomware was able to encrypt files on fixed, removable and network drives using strong encryption algorithms, according to Eset.

“During our research we have seen different approaches to how the malware is spread. In most cases, Crysis ransomware files were distributed as attachments to spam emails, using double file extensions. Using this simple – yet effective – technique, executable files appear as non-executable,” Eset’s security evangelist, Ondrej Kubovic, wrote at the time.

“Another vector used by the attackers has been disguising malicious files as harmless looking installers for various legitimate applications, which they have been distributing via various online locations and shared networks.”

Crysis also achieved persistence by setting registry entries to be executed at every system start.

Eset prepared the free decryptor tool after a user known as ‘crss7777’ dumped the master decryption keys last week in a post on the BleepingComputer.com forums.

“Though the identity of ‘crss7777’ is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” wrote the site’s owner Lawrence Abrams at the time.

“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

Russian AV firm Kaspersky Lab has also updated its RakhniDecryptor program so it now works for victims of the Crysis ransomware.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
A person really must wonder if ESET actually ran the tool on an infected computer. If you look at the instructions for use,

1). Download the tool and save the file to your Desktop.
2). Click StartAll Programs Accessories, right-click Command prompt and then select Run as administrator from the context menu.

The issue here that Crysis is fortress-class; by that I mean aside from encrypting Documents it will encrypt ALL non-running processes. So you won't be able to download anything on to the system (even if the browser is open the file will be saved as zero-byte), and the Command prompt entry is also encrypted, so Step 2 does not work.

Proper Instructions:

1). download esetcrysisdecryptor.exe on a NON-INFECTED computer and save to flash drive.
2). Shut down infected computer restart in Safe mode with command prompt
3). insert flash drive
4). At the command Prompt type "msconfig"
5). When MSCONFIG opens, go to startup and uncheck the entry for crysis (usually points to a dropped payload in System32). Note that if you don't do this Crysis will start on boot and destroy all you work!
6). close MSCONFIG and typye wahtever drive letter points to your flash (eg. "E:")
7). type "esetcrysisdecryptor.exe c:
8). accept the license and let it run
9). reboot the machine and have fun deleting the thousands of backup files that ESET recovered for you.

Anyway, that's what you ACTUALLY have to do instead of the mickey mouse directions ESET gives.
 

adnage19

Level 5
Verified
Well-known
Sep 22, 2016
211
A person really must wonder if ESET actually ran the tool on an infected computer. If you look at the instructions for use,

1). Download the tool and save the file to your Desktop.
2). Click StartAll Programs Accessories, right-click Command prompt and then select Run as administrator from the context menu.

The issue here that Crysis is fortress-class; by that I mean aside from encrypting Documents it will encrypt ALL non-running processes. So you won't be able to download anything on to the system (even if the browser is open the file will be saved as zero-byte), and the Command prompt entry is also encrypted, so Step 2 does not work.

Proper Instructions:

1). download esetcrysisdecryptor.exe on a NON-INFECTED computer and save to flash drive.
2). Shut down infected computer restart in Safe mode with command prompt
3). insert flash drive
4). At the command Prompt type "msconfig"
5). When MSCONFIG opens, go to startup and uncheck the entry for crysis (usually points to a dropped payload in System32). Note that if you don't do this Crysis will start on boot and destroy all you work!
6). close MSCONFIG and typye wahtever drive letter points to your flash (eg. "E:")
7). type "esetcrysisdecryptor.exe c:
8). accept the license and let it run
9). reboot the machine and have fun deleting the thousands of backup files that ESET recovered for you.

Anyway, that's what you ACTUALLY have to do instead of the mickey mouse directions ESET gives.
Poor ESET, knockout by cruelsister :D
xT77Y9wvUx4iSsPaNi.gif
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top