On May 21st, the developers behind the CryptXXX ransomware updated their code to version 3.0 in order to stop Kaspersky's RannohDecryptor from decrypting files for free. Unfortunately, it appears that this update has also had the unintended consequence of breaking the malware developers decryptor.
Since CryptXXX has been released, it has been plagued with bugs and weaknesses that has allowed Kaspersky to decrypt victim's files for free. Now that the malware devs updated to version 3.0 in order to stop Kaspersky, based on multiple reports of people who paid the ransom, it also looks like the malware developers broke their own decryptor.
For those who are affected by CryptXXX 3.0, it is advised that you do not pay the ransom as there is a good chance that you will not receive a working decryptor. You should wait instead to see if Kaspersky is able to update their decryption program to bypass CryptXXX's encryption algorithm.
For those who wish to discuss this ransomware or receive support, they can register a free account and visit this forum topic: CryptXXX Support & Help Topic. You can also consult the CryptXXX Ransomware Help, Information Guide, and FAQ.
Update 5/25/16:
The malware developer's ears must have been ringing, because they release a new decryptor for the 3.x version of CryptXXX. A visitor (or insider), posted a comment in this article stating that the "hackers updated the decryption application".
When I downloaded the current decryptor from the CryptXXX payment site, it was indeed updated and now reflects that it is for the CryptXXX 3.x version as shown below.
On testing, this version of the decryptor does indeed decrypt files for those that paid the ransom.
Comments
El-Capitan - 1 year ago
Well, where is the "news" ??
As far I know, since CryptXXX 2.006 is NOT possible to decrypt, because they used "zlib" compression in addition to the crypt.
Because I am a victim of CryptXXX 2.006, and NOT of the new 3.0, which program is used on the screenshot?? Just to try it.
'Cause with the Kaspersky's tool it shows the error.
xXToffeeXx - 1 year ago
Kaspersky should update their decrypter soon, however if they don't then I know someone else who will. Please be patient.
love24you - 1 year ago
Just now, hackers updated the decryption application. Successfully decrypted.
El-Capitan - 1 year ago
"Just now, hackers updated the decryption application. Successfully decrypted."
what are you talking about??
ScathEnfys - 1 year ago
If you read the article again, you will notice that the malware author's decryptor was temporarily broken. It appears to have been fixed now.
serkanbilen - 1 year ago
Hello,
I need Cryptxxx 3.0 decryptor.exe .
I just want to exe. I find the key.
Thank you..
superikey - 1 year ago
Love24You
We have been infected by the crypsxxx v3 and all our files have the extn *.cryp1.
You mentioned the that hackers updated the decryption tool and it now works.
We have been unable to get the website to even descrypt one sample file, it simply says "please wait" and has for 4 days now.
charly1954 - 11 months ago
"Love24You
We have been infected by the crypsxxx v3 and all our files have the extn *.cryp1.
."
I ran the test to see what kind of ransonware I had and It says I have version 3 and sample_extension: .<5hex>
but where do I look to see the extn on files on my PC I don't see 5hex on any file properties..
Here's an example of the name of one file, no idea if it was a notebook page, word processor page, or spreadsheet
File name changed to:
1BDC345612817FE672B9DE56F470E21E.802ED
Properties of the file say
Type file: 802ED File (.802ED)
Opens with: Windows Shell Common Dll
maxxxit - 1 year ago
This is the result of the ID RANSOMWARE SCAN:
ID Ransomware
4 Results
CryptXXX
Questo ransomware è decifrabile!
Identificato da
sample_extension: .crypt
Per maggiori informazioni riguardo CryptXXX clicca qui
Chimera
Per questo ransomware attualmente non vi sono modi conosciuti per decifrare i file.
Si raccomanda di effettuare un backup dei file cifrati e sperare che vi siano soluzioni in futuro.
Identificato da
sample_extension: .crypt
Per maggiori informazioni riguardo Chimera clicca qui
CryptXXX 2.0
Questo ransomware è decifrabile!
Identificato da
sample_extension: .crypt
Per maggiori informazioni riguardo CryptXXX 2.0 clicca qui
CryptXXX 3.0
Per questo ransomware attualmente non vi sono modi conosciuti per decifrare i file.
Si raccomanda di effettuare un backup dei file cifrati e sperare che vi siano soluzioni in futuro.
Identificato da
sample_extension: .crypt
Per maggiori informazioni riguardo CryptXXX 3.0 clicca qui
Can i hope to decrypt my files?
I tried to to reach the servers indicated on the money request... but they don't run...
How can i contact the hackers?
I would pay ... to have my files...
Help me... thanks
zhyl810 - 1 year ago
Hi Guys,
A new version of these is .canihelpyou, lots of computer in my lab have been infected.
And it seems no solution until now.
superikey - 1 year ago
Love24You
We have been infected by the crypsxxx v3 and all our files have the extn *.cryp1.
You mentioned the that hackers updated the decryption tool and it now works.
We have been unable to get the website to even descrypt one sample file, it simply says "please wait" and has for 4 days now.
Taty2016 - 10 months ago
Hi, I was infected crypxxx v3, extension * .cryp1. Were you able to decrypt all your files? Including images? I'm waiting for my test file to decide whether or not paid the ransom.
Thanks,
superikey - 1 year ago
I thought everyone should know, we paid the ransom (reluctantly) and the tool works just fine and all our files are now encrypted.
wsx00201 - 1 year ago
Downloading and Using the Trend Micro Ransomware File Decryptor
https://esupport.trendmicro.com/solution/en-US/1114221.aspx
selendogan - 1 year ago
my computer infected with cryptolocker at 20.05.2016. All of the files had an extension such 'crypt.' I transferred all data to an external driver and formatted the computer. I upload an example of file to your suggested website and they found 4 possible ransomware: cyptxxx3.0, cryptxxx, chimera,cryptxxx2.0 respectively. I dont know which one is the responsible type but I tried the recent trend mico solution on my doc file. Now i see the word image as decrypted but the office can not open the file and say 'there is a problem with the file content and office can not open the open xml file (original file name). They suggest to use 3rd party corrupted file recovery tool (such as the open source program JPEGSnoop*) but i dont know how to do. this is an only most important file for me. Others can wait the final solution. I tried the kaspersky solution too but it gives the message 'the decryption of files encrypted by this variant of Trojan-Ransom.Win32.CryptXXX is not supported' please help me
Amigo-A - 1 year ago
Info about CryptXXX v.3.1.0.0
https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100
Jack-et - 1 year ago
I got the files named .crypz ! v3.2 ?
scottwww - 1 year ago
A friend has just been attacked this morning
Files are now .crypz as well
irsoy - 1 year ago
infected .crypz
lavalava - 1 year ago
Anyone have any leads on good guys decrypting .crypz?
charly1954 - 11 months ago
"Love24You
We have been infected by the crypsxxx v3 and all our files have the extn *.cryp1.
."
I ran the test to see what kind of ransonware I had and It says I have version 3 and sample_extension: .<5hex>
but where do I look to see the extn on files on my PC I don't see 5hex on any file properties..
Here's an example of the name of one file, since I don't know what it was I have no idea if it was a notebook page, word processor page, or spreadsheet
File name changed to:
1BDC345612817FE672B9DE56F470E21E.802ED
Properties of the file say
Type file: 802ED File (.802ED)
Opens with: Windows Shell Common Dll
NOTE: Waiting and hopeing someone comes up with a decryter soon.