This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.

This ransomware was first discovered by MalwareHunterTeam and at first glance it looks like a ransomware with little to no distribution. While I would normally not write about ransomware like these, it was later learned that this ransomware had encrypted close to 100 victims.

The good news is that Michael Gillespie was quick to create a free decryptor for this ransomware so victims can get their files back for free.

The CryptoNar Ransomware

When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.

If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.

Files encrypted by CryptoNar
Files encrypted by CryptoNar

When done encrypting the files, it then the sends public/private key pair to the attacker via email.

Send keys via SMTP
Send keys via SMTP

CryptoNar will then drop a ransom note named CRYPTONAR RECOVERY INFORMATION.txt that asks the victim to send $200 in bitcoins to the enclosed bitcoin address. When sending the coins, the attacker instructs the victim to enter their email address and listed ID in the "extra note" field of the bitcoin transaction.

Ransom Note

A decryptor will then be launched and waits for the victim to enter a private key they would supposedly get after paying the ransom.

Crypto Nar Version 1.0

It is not known if the attacker will actually try and help a victim after they pay, but at this point it does not matter as there is a free decryptor available.

Free CryptoNar Decryptor created

The good news is that Michael Gillespie was able to create a free decryptor for CryptoNar that allows victims to get their files back for free.

To use the decryptor, make sure you have both an encrypted file and its original counterpart and then download the decryptor from looking for encrypted/non-encrypted pairs it can be a common file type such as .jpg, .png, .pdf, .doc, .xls, etc.

When ready,  run the decryptor, select Settings, and then select Brute Forcer. Once in the brute forcer, select both of the requested files and click Start. The decryptor will then use the selected files to brute force the decryption key. 

When one is found, close the Brute Forcer screen and the key should be loaded. Now click on Select Directory, select the C: drive, and click on the Decrypt button.

Files decrypted
Files decrypted

Your files should now be decrypted.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files