Yesterday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable.

The current list of known extensions used by CryptON and that can be decrypted are:

.id-_locked
.id-_locked_by_krec
.id-_locked_by_perfect
.id-_x3m
.id-_r9oj
.id-_garryweber@protonmail.ch
.id-_steaveiwalker@india.com_
.id-_julia.crown@india.com_
.id-_tom.cruz@india.com_
.id-_CarlosBoltehero@india.com_
.id-_maria.lopez1@india.com_

Example ransom note screens are:

.id-<id>_julia.crown@india.com_ Ransom Note
.id-_julia.crown@india.com_ Ransom Note
nemsis-decryptor@india.com Variant
nemsis-decryptor@india.com Variant
Source: Emsisoft

For those who have been infected by the CryptON Ransomware and have files that are encrypted, you can use the guide below to decrypt the files for free. If you need help decrypting your files, feel free to ask in the CryptON Ransomware Help Topic.

How to Decrypt the CryptON Ransomware

Victims of the CryptON ransomware can be identified by their files being encrypted and renamed to the format of [filename].[id]_[unique_designator]. For example, a variant would have a file named test.jpg renamed and encrypted as test.jpg.id-_maria.lopez1@india.com_. An example of a folder of encrypted files is seen below:

Crypton Encrypted Files
Crypton Encrypted Files

To decrypt files encrypted by the Crypton ransomware, you need to first download the Crypton Decryptor below.

img
Crypton Decryptor

In order to decrypt your files, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_CryptON.exe icon at the same time.  So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable.  When trying to find a pair of files to use with the decryptor, you can use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder. Just look at the file sizes and pick an unencrypted sample picture and an encrypted sample picture that have the same size.

Once the key is discovered that was used to encrypt this pair of files, the same key can then be used to decrypt ALL other files on your computer.

To show what I mean about dragging both files at the same time, see the animated picture below. To create the key, I created a folder on my desktop called Decrypt and copied an encrypted JPG file, its unencrypted counterpart, and the CryptON decryptor into the folder. I then dragged both the regular JPG file and the encrypted one onto the decryptor at the same time.

How to drag the files onto the Decrypter
How to drag the files onto the Decrypter

When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed. The decrypter will start to brute force the decryption key. This can take quiet a long time, so please be patient while the key is discovered.

Brute Forcing the Decryption Key
Caption

When a key was able to be brute forced, it will display it an a new window like the one below. 

Decryption Key Found
Decryption Key Found

To start decrypting your files with this key, please click on the OK button.  You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main Decrypter screen that displays a list of drives that will be decrypted. If there are any drive letters missing, please manually add them by clicking on the Add Folder button.

CryptON Decryptor
CryptON Decryptor

Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin decrypting the CryptON encrypted files. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in a results screen like the one below.

Decrypting Files
Decrypting Files

When it has finished, the Results tab will state Finished! and all of your files should now be decrypted.

Decryption Finished
Decryption Finished

Though your files are not decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal.If you need help using this decrypter, please ask in our CryptON Ransomware Help Topic.

Ransom Note Text:


                                        !!!SEUS ARQUIVOS FORAM CRIPTOGRAFADOS!!!   

Sua identificacao pessoal:

-------------------------
id-1423636102
-------------------------

Para receber o decodificador deve pagar pela descodificacao.

Compre 0.5 BTC nestes sites:

https://localbitcoins.com
https://www.coinbase.com

ENDERECO BITCOIN PARA PAGAR:

-------------------------------------
13KgENVkikJWKYZ8qUk3uRx2Nefxtkyrbw
-------------------------------------

Envie 0.5 BTC para a decodificacao

Depois de pagar:
        
1. Enviar captura de ecra ou foto do pagamento para o endereco: julia.crown@india.com

2. Se voce quiser permanecer anonimo ou se voce nao esta recebendo uma resposta, tente usar a mensagem bit (bitmessage.ch) e use este endereco para entrar em contato comigo: 
BM-2cUKVoCsrKnm5mnZnyG7BAKSr9U56bL6Nz@bitmessage.ch . Este metodo funcionara 100%.

3. No e-mail deve incluir o sua identificacao pessoal (id-1423636102).

Em seguida, voce recebera o descodificador e instrucoes.

                          


!!! Atencao !!!

- Voce realmente obter o decifrador apos o pagamento.
- Tentativas de auto-descriptografar arquivos resultara na perda de seus dados.
- Os descodificadores de outros usuarios nao sao compativeis com seus dados, porque a chave de criptografia unica de cada usuario