Last week Kafeineposted an analysis of a new ransomware called CryptXXX on the Proofpoint blog. Based on their analysis they determined that CryptXXX is affiliated with the developers of the Angler Exploit Kit as well as the Reveton screen locking ransomware family. 

CryptXXX Ransom Note
CryptXXX Ransom Note

When a user is infected with CryptXXX, all of their data will be encrypted and have the .crypt extension appended to the filenames.  The ransomware developers would then demand 500 USD or approximately 1.2 bitcoins to get the decryption key. To make matters worse, this ransomware will also attempt to steal your bitcoin wallet and harvest information and credentials related to your FTP client, instant messenger clients, emails, and browsers.

Thankfully, yesterday Kaspersky released a free decryptor for this ransomware.

Kaspersky releases a free decryptor for CryptXXX files

With the amount of ransomware being released and the torture they bring to people, it is a good day when someone releases a free decryptor for a ransomware program.  Yesterday, Kaspersky was able to figure out a weakness in the CryptXXX ransomware and release a free decryptor that a victim can use to get their files back.

This new decryptor is called RannohDecryptor and will try to determine the decryption key in a encrypted file. If it is unable to do so, a victim will need to input into the program the same file in its encrypted and unencrypted format. Using this file pair, the decryptor can then determine the decryption key used by all of the encrypted files. As a heads up, you will most likely need to find a pair of files that are both encrypted and unencrypted. Also, the decryptor will only be able to decrypt files that are smaller than the files you derived the key from. Therefore, try to use a large file pair.

Since its not always easy to find a pair of files that are large enough to work for all of your encrypted files, one of our members Gaberr had a nice trick.  Find your largest encrypted file and then use that with the free decryption that the CryptXXX devs offer. You will then have an encrypted and unencrypted pair that can be used with RannohDecryptor.

If that does not work for some reason, what I usually suggest people do when they need a pair of files (unencrypted + encrypted) is to use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder.  These images are always encrypted by a ransomware and their unencrypted versions can easily be downloaded from another computer. To make it easier, I have created a repository of the Windows 7 sample pictures here: If you find Windows 8 or Widows 10 use different files, let me know and I will upload a repository from those operating systems.

Kaspersky  RannohDecryptor.exe

To start the decryption process, simply download and execute the above file.  When you run the program and click on the Start button it will ask you to select a encrypted file.  Once you select a file, it will try to determine the decryption key. It most likely will not be able to do so and will prompt you to select a pair of the same file that are encrypted and unencrypted. 

Select an encrypted file from the C:\Users\Public\Pictures\Sample Pictures and it will then ask you to select an unencrypted version of the same file. Simply download the corresponding unencrypted image from here and select it.  The decryptor should then be able to determine the decryption key and start decrypting your files.

Decrypting your files
Decrypting your files

When it has finished decrypting your files, you can close the decryption program and remove it from your computer.  It is also suggested that you scan your computer with the antivirus or anti-malware program of your choice to remove any other leftovers.


5/13/16 - I zipped up the Windows 7 pics into a single zip.  The guide above was updated with this info.  Kaspersky also released a new decryptor for the CryptXXX 2.0 version.

Files associated with CryptXXX:

%Temp%\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll


Related Articles:

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection