Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crypz ransomware with Cerber ransomware in free decrypted file

  • This topic is locked This topic is locked
1 reply to this topic

#1 Shatang


  • Members
  • 1 posts
  • Local time:07:32 PM

Posted 17 June 2016 - 02:08 PM

Hello, I wanted to share my today's experience with the community. I work as an IT consultant for SMB and keep very good and close relationship with my clients with lots of education about data protection.

I got a call from a friend who got a computer infected with Crypz ransomware, demanding a ransom. After consulting a client he decided to make a payment (1.2 BTC) in the effort to get his files back.

We decided to send a .docx file for a test decription and that's when strange things started to happen.

I downloaded the decrypted file with a .html extension (?) and sent it to a dummy e-mail account, then used a freshly formatted PC who never connected to the internet until now, downloaded a .html file, and disconnected from the internet.

Renamed the file to .docx, opened it in MS Word (Macros disabled), and file looked ok with content as expected.

Now, approx 1 minute after we reconnected this PC to the internet, it got infected with Cerber ransomware.  I repeat, this PC never connected to the internet before the file download, nor I did visit any site besides the mail service. It didn't make any damage, however this was the first time I experienced behaviour like this.

I tried to figure out how it happened, gonna test it (same conditions) again later today. I am wondering what would/could happen even if the client still goes for the decryption tool option.

Any thoughts from you, guys?


Best regards!

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,739 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:32 PM

Posted 17 June 2016 - 03:17 PM

From what you describe it appears to be a dual ransomware infection.

Any files that are encrypted with CryptXXX 3.x (UltraDeCrypter/UltraCrypter) will have the .cryp1, .crypz extension appended to the end of the affected filename. CryptXXX 2.x/3.x variants will leave unique Personal ID files using random 12 hexadecimal characters with names like <id-number>.html, <id-number>.txt, <id-number>.bmp (i.e. S45CC72F3463.txt, !4AD604B8AE89.txt), !Recovery_<id-number>.html, !Recovery_<id-number>.txt, !Recovery_<id-number>.bmp (i.e. !Recovery_4582C8FAEB15.txt). A repository of all current knowledge regarding CryptXXX is provided by Grinler (aka Lawrence Abrams), in this topic: CryptXXX Ransomware Help, Information Guide and FAQ.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Any files that are encrypted with Cerber Ransomware will have the .cerber extension appended to the end of the affected filename and leave files (ransom notes) named DECRYPT MY FILES#.vbs, DECRYPT MY FILES#.txt, DECRYPT MY FILES#.html.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your encrypted files.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in one of the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users