There has been a lot of discussion today in BleepingComputer's CryptXXX Help topic about victims logging into the ransomware's payment servers and being given their decryption key for free. When users tried these keys, they found that were indeed able to decrypt their encrypted files. Though some have stated that the master key has been released, this is not the case as each person's decryption key has been different and only worked on their own files.
When I researched this further, I discovered that the free keys are only being offered for certain versions of CryptXXX, namely the variants that add the .Crypz and .Cryp1 extensions to encrypted files. All other versions are not receiving the decryption key for free.
At this time it is currently unknown why the payment servers are providing free keys for this variant. It could be that the developers are throwing a bone to their victims, but my guess is that it is a malfunction on their payment server that is causing this. The devs have been known in the past to provide buggy code and decryptable variants, so another error like this would not be hard to imagine.
Below I have put together a list of all the known variants of the CryptXXX ransomware that I had access to. The only known variant that I was not able to test is the one that adds the .cryptz extension. If anyone was infected with that variant, please let me know if the free key is being offered for you.
Keys being offered for Free
.Crypz Extension (UltraDecryptor)
Ransom Note Name: ![victim_id].html
Ransom Note Name: ![victim_id].txt
Example TOR Url: http://xqraoaoaph4d545r.onion.to
Example TOR Url: http://xqraoaoaph4d545r.onion.cab
Example TOR Url: http://xqraoaoaph4d545r.onion.city
.Cryp1 Extension (UltraDecryptor)
Ransom Note Name: ![victim_id].html
Ransom Note Name: ![victim_id].html
Example TOR Url: http://eqyo4fbr5okzaysm.onion.to
Example TOR Url: http://eqyo4fbr5okzaysm.onion.cab
Example TOR Url: http://eqyo4fbr5okzaysm.onion.city
Does Not Provide a Free Key:
.Crypt Extension (UltraDeCrypter)
Ransom Note Name: [victim_id].html
Ransom Note Name: [victim_id].txt
Example TOR Url: http://klgpco2v6jzpca4z.onion.to
Example TOR Url: http://klgpco2v6jzpca4z.onion.cab
Example TOR Url: http://klgpco2v6jzpca4z.onion.city
.Crypt Extension (Google Decryptor)
Ransom Note name: !Recovery_[victim_id].html
Ransom Note name: !Recovery_[victim_id].txt
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.to
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.cab
Example TOR Url: http://2zqnpdpslpnsqzbw.onion.city
Random Extension (UltraDecryptor)
Ransom Note Name: @[victim_id].html
Ransom Note Name: @[victim_id].txt
Example TOR Url: 2mpsasnbq5lwi37r.onion.to
Example TOR Url: 2mpsasnbq5lwi37r.onion.cab
Example TOR Url: 2mpsasnbq5lwi37r.onion.city
No extension (Microsoft Decryptor)
Ransom Note Name: README.html
Ransom Note Name: README.txt
Example TOR Url: http://ccjlwb22w6c22p2k.onion.to
Example TOR Url: http://ccjlwb22w6c22p2k.onion.city
Comments
ScathEnfys - 8 years ago
If this is indeed a bug, Victims infected with the variants giving the free keys should obtain their key ASAP before the developers fix it.
mcerdem - 8 years ago
so infected users should connect to their tor link to get free key, right?
ScathEnfys - 8 years ago
Yes.
silumor - 8 years ago
does this include UltraCrypt v3.0?
ScathEnfys - 8 years ago
The affected versions are listed at the bottom of the post.
Sirawit - 8 years ago
I shared it to local forums. Hopefully this will help some people with this ransomware.
fredco - 8 years ago
I am infected with .crypz and got a free key. I got a LOT of files encrypted across my network and now I'm decrypting them and it works! It's unbelievable...
Strange though: the decrypting process is quite slow, whereas the encryption seemed to go much faster.
If you are a victim too, I would definitely take a look at the crooks' site to see if there is a key for you too. If so, you're saved!
moracrip - 8 years ago
Hi sorry for my doubt but I am not so technical. Can you advice about the procedure cause I have already downloaded the Crypt38Decrypter, but don´t know exactly what to do. thanks in advance and for the inconvenience
FabiusMDQ - 8 years ago
Yep, it worked fine, in a infected disk I put on my PC to recover the files, but apparently tried to infected mine, hehe. Luckily, my antivirus stopped that.
silvery - 8 years ago
What is "error=8"? I failed decryption.
ScathEnfys - 8 years ago
Post in the support topic, please.
lunas - 8 years ago
I am inected with crypz (CryptXXX v3) and It is not working for me anymore :(
Can anyone verify?
6EEFCB7D8BDE
http://hn5fbbc4pyz77xfa.onion
ScathEnfys - 8 years ago
Try posting in the support topic.
AMARTAYAN - 8 years ago
Hi there
I did run the process as recommended and my .crypz files appeared to be cleaned-up with a new file being added next to each .crypz file.
Unfortunately I cannot open any of the uncrypted files ... (.doc, .ppt, .jpg...)..HELP ..THANKS
ren89 - 8 years ago
Hi, I need help! When I logged with my ID in my tor links (using tor browser too) I can't see any free key! Only a count down.
I'm infected with crypz (CryptXXX v3). My ID: DAEA6E2B22FA
My tor links:
1 - http://55fqixg5qedzibps.onion.to
2 - http://55fqixg5qedzibps.onion.cab
3 - http://55fqixg5qedzibps.onion.city
Can anyone verify?
chric123 - 8 years ago
Your personal ID: BABA2373F640
1 - http://6kiujogtkmofnyaq.onion.to
2 - http://6kiujogtkmofnyaq.onion.cab
3 - http://6kiujogtkmofnyaq.onion.city
moracrip - 8 years ago
Hi sorry for my doubt but I am not so technical. Can you advice about the procedure cause I have already downloaded the Crypt38Decrypter, but don´t know exactly what to do. thanks in advance and for the inconvenience
jccarlton - 8 years ago
It looks like they did a reset. No free keys and the timer is reset.
mcerdem - 7 years ago
can i get now free key for .crypz file ?
Emmanuel_ADC-Soft - 7 years ago
Hello,
One of my client has been hit with .crypz.
How to get a key please ?
PERSONAL ID 06DC0492DD45
Tor links : http://hn5fbbc4pyz77xfa.onion
http://hn5fbbc4pyz77xfa.onion.to
http://hn5fbbc4pyz77xfa.onion.cab
http://hn5fbbc4pyz77xfa.onion.city
Thank you very much, kind regards
Emmanuel https://adc-soft.com/decryptage/ransomware.php
denisdany - 6 years ago
PLEASE HELP ME... SOMEBODY ,I TRY FOR WEEKS TO RESOLVE I CANT..
ID: 8B511BC872C2
http://2zqnpdpslpnsqzbw.onion
- http://2zqnpdpslpnsqzbw.onion.to
2 - http://2zqnpdpslpnsqzbw.onion.cab
3 - http://2zqnpdpslpnsqzbw.onion.city