This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.
This ransomware was first discovered by MalwareHunterTeam and at first glance it looks like a ransomware with little to no distribution. While I would normally not write about ransomware like these, it was later learned that this ransomware had encrypted close to 100 victims.
Looks like 91 infections starting aug 21st.— Travis Green (@travisbgreen) August 28, 2018
The good news is that Michael Gillespie was quick to create a free decryptor for this ransomware so victims can get their files back for free.
When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.
If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.
When done encrypting the files, it then the sends public/private key pair to the attacker via email.
CryptoNar will then drop a ransom note named CRYPTONAR RECOVERY INFORMATION.txt that asks the victim to send $200 in bitcoins to the enclosed bitcoin address. When sending the coins, the attacker instructs the victim to enter their email address and listed ID in the "extra note" field of the bitcoin transaction.
A decryptor will then be launched and waits for the victim to enter a private key they would supposedly get after paying the ransom.
It is not known if the attacker will actually try and help a victim after they pay, but at this point it does not matter as there is a free decryptor available.
The good news is that Michael Gillespie was able to create a free decryptor for CryptoNar that allows victims to get their files back for free.
Here's a free decrypter for CryptoJoker / CryptoNar #Ransomware (extensions ".cryptojoker" / ".cryptoNar"). Just requires either an encrypted/original file, or one encrypted file of a common type (e.g. .jpg, .png, .pdf, .doc, etc). https://t.co/dSsodeygE6 pic.twitter.com/D6yi96max1— Michael Gillespie (@demonslay335) August 28, 2018
To use the decryptor, make sure you have both an encrypted file and its original counterpart and then download the decryptor from BleepingComputer.com..When looking for encrypted/non-encrypted pairs it can be a common file type such as .jpg, .png, .pdf, .doc, .xls, etc.
When ready, run the decryptor, select Settings, and then select Brute Forcer. Once in the brute forcer, select both of the requested files and click Start. The decryptor will then use the selected files to brute force the decryption key.
When one is found, close the Brute Forcer screen and the key should be loaded. Now click on Select Directory, select the C: drive, and click on the Decrypt button.
Your files should now be decrypted.