Belgian Federal Police together with Kaspersky Lab have released a free decryption tool for some versions of the Cryakl ransomware.
In a joint statement released through Europol, Belgian police said they were able to track down one of Cryakl ransomware's command-and-control (C&C) servers to a data center in one of Belgium's neighboring countries.
Belgian authorities seized this and other servers and then performed forensic analysis to retrieve Cryakl decryption keys stored on the server.
Kaspersky Lab experts integrated the newly discovered decryption keys in the company's RakhniDecryptor , a generic ransomware decryption utility that can be used to decrypt many other ransomware strains as well.
The Cryakl ransomware was first spotted in September 2015 and remained active through the years. Its most prolific period was late 2015 to mid-2016 when Kaspersky Lab statistics ranked it as one of the most active ransomware strains [1, 2]. Ransomware distribution died down in the subsequent period, but the ransomware has remained active and new versions have continued to appear, even recently. For example, Cryakl version 22.214.171.124 was detected over 50 times on the ID-Ransomware portal this year alone, while version 126.96.36.199 has been seen over 100 times since December 26, last year.
Kaspersky experts found encryption flaws in early versions of the Cryakl ransomware. The RakhniDecryptor utility already included support for decrypting these early Cryakl versions for at least two years.
Subsequent Cryakl versions were not decryptable, but with the new decryption keys obtained by Belgian police, some victims who made backups of Cryakl-encrypted files can now hope to recover their data.
The updated RakhniDecryptor utility can be downloaded via the NoMoreRansom project's website. Belgian Federal Police also became an official member of the NoMoreRansom project with today's announcement. Cypriot and Estonian police also joined the project, which now numbers 52 members from law enforcement and the private (security and non-security) sector.
Belgian police also became the second law enforcement agency to provide decryption keys to the NoMoreRansom project after Dutch police did so numerous times in the past.
If victims need help with the Cryakl ransomware decryption process, they can ask for it on Bleeping Computer's Cryakl ransomware support forum.
For those infected with the FairyTale version of Cryakl and the one at NoMoreRansom does not work for you, another decryptor has been posted at Experts-Exchange.com.
This decryptor supports the following types of encrypted files:
This tool is for files with filenames that look like this: firstname.lastname@example.org-CL 188.8.131.52.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail - or - email@example.com-CL 184.108.40.206.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail