Table of Contents
- 1What is the CryptXXX Ransomware
- 2How the CryptXXX Ransomware encrypts your files
- 3What should you do when you discover your computer is infected with CryptXXX?
- 4How do you become infected with CryptXXX?
- 5What you need to know about CryptXXX and Network Shares
- 6How to find the infected user that encrypted a Network Share
- 7The CryptXXX Decrypt Service Payment Site
- 8Will paying the ransom actually decrypt your files?
- 9Is it possible to decrypt .CRYPT Files encrypted by CryptXXX for free?
- 10How to restore .Crypt files encrypted by CryptXXX
- 11How to restore .Crypt files encrypted by CryptXXX using Shadow Volume Copies
- 12How to restore .Crypt files that have been encrypted on DropBox folders
- 13How to prevent your computer from becoming infected by CryptXXX
- 14How to allow specific applications to run when using Software Restriction Policies
What is the CryptXXX Ransomware?
CryptXXX is a Windows ransomware infection that was discovered by Kafeine (Proofpoint) in the middle of April 2016. This ransomware infection will affect all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10. When a victim is infected they will have their files encrypted and then a ransom of about 2.4 bitcoins, or approximately $1,000 USD, will be demanded in order to receive the decryption key.
When CryptXXX infects your computer it will scan all the drive letters for targeted file types, encrypt them, and then append the .crypt extension to them. Once these files are encrypted, they will no longer able to be opened by your normal programs. When CryptXXX has finished encrypting the victim's files, it will change the desktop wallpaper to an image that acts like a ransom note. It will also display a HTML ransom note in your default browser. These ransom notes include instructions on how to connect to the CryptXXX Decrypt Service where you can learn more about what happened to your files and how you can make a CryptXXX ransom payment.
How the CryptXXX Ransomware encrypts your files
When CryptXXX is first installed it will scan the computer's local, removable, and mapped drives for file types that it targets for encryption. The extensions targeted by CryptXXX are:
When a file is encrypted it will have the .crypt extension appended to the normal file name. For example, a file named accounting.doc, will be renamed to accounting.doc.crypt.
While your computer's data is being encrypted it will create ransom notes in every folder that a file was encrypted, in the C:\ProgramData folder, and on the Windows desktop. These ransom notes are named:
CryptXXX Ransom Note Names | |
---|---|
Name | Location |
[victim_id].html | C:\ProgramData |
[victim_id].bmp | C:\ProgramData |
!Recovery_[victim_id].bmp | Desktop and All Encrypted Folders |
!Recovery_[victim_id].html | Desktop and All Encrypted Folders |
!Recovery_[victim_id].txt | Desktop and All Encrypted Folders |
The [victim_id] is a unique string associated with your computer that identifies you in the malware developer's payment system.
The !Recovery_[victim_id].html ransom note is displayed below.
CryptXXX Ransom Note
An example of the !Recovery_[victim_id].txt ransom note is:
CryptXXX will also change the Windows wallpaper to use the image located at %UserProfile%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg as shown below.
CryptXXX Wallpaper
Both of these ransom notes will contain your unique Victim ID and URLs to a TOR site where you can learn how much your ransom is and how to make the ransom payment. The payment site for CryptXXX is called the CryptXXX Decrypt Service. For more details about the the payment site, please skip to this section.
What should you do when you discover your computer is infected with CryptXXX
If you discover that your computer is infected with CryptXXX you should immediately shutdown your computer and if possible create a copy, or image, of your hard drive. This allows you to save the complete state of your hard drive in the event that a free decryption method is developed in the future. For more information on how to do this, feel free to ask in the forums.
Once you have made an image of your drive, restart your computer and save a copy of the ransom notes in case you want to pay the ransom. Then perform a scan with your favorite anti-virus program. Most antivirus and antimalware programs should detect the CryptXXX executables at this point. Unfortunately, most people do not realize CryptXXX is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with the ransomware program.
As always we never recommend you pay the ransom, but if you do plan on doing so, make sure to keep a copy of the ransom notes with your unique ID as you will need it to make a payment.
How do you become infected with CryptXXX?
A user is typically infected by CryptXXX through Exploit Kits and Trojan Downloaders such as Bedep. These exploit kits can be located on hacked sites or through malvertising. When a browser opens one of these exploit kits, it will scan your computer for vulnerable programs and attempt to exploit them to install and start the ransomware without your knowledge.
Therefore, it is imperative that everyone keeps Windows and their installed programs up-to-date. You can use these tutorials for more information on keeping your Windows installation and installed programs updated:
How to update Windows
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)
What you need to know about and Network Shares
CryptXXX has the ability to only encrypt files on mapped network shares. It does not have the ability to scan for unmapped shares and encrypt the files found on them.
How to find the infected user that encrypted a Network Share
For many system administrators, finding the infected computer that encrypted a network share can be a frustrating experience. When trying to figure this out, I always recommend that you check the properties of an encrypted file and check who the owner of the file is. You can use this owner to then pinpoint the infected machine.
The CryptXXX Decrypt Service Payment Site
The developers of CryptXXX created a TOR payment site called the Decrypt Service. This site can be used by victims to pay the ransom and download a decryptor. When you visit this site you will receive information about your encrypted files and learn how to pay the ransom. Links to this site can be found in the ransom notes created on your Windows desktop and other locations on your computer. Once you visit the site you can pay the ransom, which is currently around $1,000 USD, by sending Bitcoins to the specified address.
Click on the image above to see the decryption sites.
Once a payment is made, the web site will wait for a certain amount of bitcoin confirmations before your private key will be made available to you. Once there have been enough confirmations, the decryptor will be made available to you for download.
CryptXXX Decryptor from Paying the Ransom
Please note that each victim has their own unique decryptor that will not work with any other infected computer. Therefore, the decryptor for one victim will NOT work on another victim's computer.
Will paying the ransom actually decrypt your files?
First and foremost, only pay the ransom if you have absolutely no choice. By paying the ransom you just encourage the malware developers to continue making ransomware infections like CryptXXX.
With that said, if you have no choice, then yes, the ransomware developers will provide the decryption program if you pay the ransom. They know that if they do not deliver on their promises after making a payment, word will get out and no one else will pay.
Once you pay the ransom and it is verified, a download link will appear on your CryptXXX Decryptor Page that will allow you to download a decryptor. Please note that the decryption process can take quite a bit of time.
Is it possible to decrypt .CRYPT Files encrypted by CryptXXX for Free?
CryptXXX has had three versions released as of 5/24/16. Of these released versions, Version 1 and Version 2 have been able to be decrypted for free using Kaspersky's RannohDecryptor. If you are infected with Version 3.0, then RannohDecryptor does not currently work on it.
Unfortunately, there is no easy way to tell what version of CryptXXX you are encrypted with other than by the date you were infected. If you were infected before 5/23/16, then you were most likely infected with Version 1 or Version 2. If you are infected on 5/23/16 or later, then you are affected by Version 3.0.
To be safe, I recommend you follow these steps to see if RannohDecryptor can decrypt your files. If it is unable to, then you are most likely infected with Version 3.0 and have to wait to see if Kaspersky can update their decryptor.
When you run RannohDecryptor it will try to determine the decryption key in a encrypted file. If it is unable to do so, a victim will need to input into the program the same file in its encrypted and unencrypted format. Using this file pair, the decryptor can then determine the decryption key used by all of the encrypted files. As a heads up, you will most likely need to find a pair of files that are both encrypted and unencrypted. Also, the decryptor will only be able to decrypt files that are smaller than the files you derived the key from. Therefore, try to use a large file pair.
Since its not always easy to find a pair of files that are large enough to work for all of your encrypted files, what I usually suggest people do when they need a pair of files (unencrypted + encrypted) is to use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder. These images are always encrypted by a ransomware and their unencrypted versions can easily be downloaded from another computer. To make it easier, I have created a repository of the Windows 7 sample pictures here: http://download.bleepingcomputer.com/public-sample-pictures/sample-pics.zip. If you find Windows 8 or Widows 10 use different files, let me know and I will upload a repository from those operating systems.
RANNOHDECRYPTOR.EXE
To start the decryption process, simply download and execute the above file. When you run the program and click on the Start button it will ask you to select a encrypted file. Once you select a file, it will try to determine the decryption key. It most likely will not be able to do so and will prompt you to select a pair of the same file that are encrypted and unencrypted.
Select an encrypted file from the C:\Users\Public\Pictures\Sample Pictures and it will then ask you to select an unencrypted version of the same file. Simply download the corresponding unencrypted image from here and select it. The decryptor should then be able to determine the decryption key and start decrypting your files.
Decrypting your files
When it has finished decrypting your files, you can close the decryption program and remove it from your computer. It is also suggested that you scan your computer with the antivirus or anti-malware program of your choice to remove any other leftovers.
How to restore .Crypt files encrypted by CryptXXX if the decryptor does not work
Your only way to recover CryptXXX encrypted files is to try and restore them from a backup, from file recovery software, or if you are lucky, the Shadow Volume Copies. I have outlined different methods below that you can use to attempt to recover your files.
Method 1: Backups
The first and best method is to restore your data from a recent backup. If you have been performing backups, then you should use your backups to restore your data.
Method 2: Shadow Volume Copies
Surprisingly, on a recent test CryptXXX did not properly wipe the Shadow Volume Copies. So I suggest that everyone try recovering their files using Shadow Volumes in the event that they were not deleted correctly. For more information on how to restore your files via Shadow Volume Copies, please see the link below:
How to restore files encrypted by CryptXXX using Shadow Volume Copies
Method 3: File Recovery Software
When CryptXXX encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may be able to use file recovery software such as R-Studio or Photorec to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.
Method 4: Restore DropBox Folders
If you had your dropbox account mapped as a drive letter then it is possible that its contents were encrypted by CryptXXX. If this is the case you can use the link below to learn how to restore your files.
How to restore files that have been encrypted on DropBox folders
How to restore .Crypt files encrypted by CryptXXX using Shadow Volume Copies
If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted. This method is not fool proof, though, as even though these files may not be encrypted they also may not be the latest version of the file. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called ShadowExplorer. It does not hurt to try both and see which methods work better for you.
Using native Windows Previous Versions:
To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.
This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.
Using ShadowExplorer:
You can also use a program called ShadowExplorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
How to restore .Crypt files that have been encrypted on DropBox folders
If you have DropBox mapped to a drive letter on an infected computer or synchronized to a folder, CryptXXX will attempt to encrypt the files on it. DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder. If you need instructions on restoring an entire folder in DropBox, please click here.
To restore a file, simply login to the DropBox web site and navigate to the folder that contains the encrypted files you wish to restore. Once you are in the folder, right-click on the encrypted file and select Previous Versions as shown in the image below.
When you click on Previous versions you will be presented with a screen that shows all versions of the encrypted file.
Select the version of the file you wish to restore and click on the Restore button to restore that file.
Unfortunately the process outlined above can be very time consuming if there are many folder to restore. In order to restore an entire folder of encrypted files, you can use the dropbox-restore python script located here. Please note that this script requires Python to be installed on the encrypted computer to execute the script. Instructions on how to use this script can be found in the README.md file for this project.
How to prevent your computer from becoming infected by CryptXXX
There are a few methods and utilities that we recommend in order to protect your computer from ransomware infections. Three of the methods are the Emsisoft Anti-Malware, HitmanPro: Alert, and the Malwarebytes Anti-Ransomware and HitmanPro: Alert programs. The fourth option is to utilize Software Restriction Policies that prevent programs from being allowed to execute from certain locations. In full disclosure, BleepingComputer.com makes a commission off of the sales of Emsisoft Anti-Malware, HitmanPro: Alert, and CryptoPrevent, but does not from Malwarebytes Anti-Ransomware.
Emsisoft Anti-Malware:
Emsisoft Anti-Malware, or EAM, has a feature called behavior blocker that has a proven track record of blocking ransomware before it can start encrypting data on your computer. Unlike traditional antivirus definitions, EAM's behavior blocker examines the behavior of a process and if this behavior contains certain characteristics commonly found in malware it will prevent it from running. Using the detection method, behavior blocker detects when a process is scanning a computer for files and then attempting to encrypt them. If it discovers this behavior, it will automatically terminate the process.
According to an article at Emsisoft's site, EAM's behavior blocker was able to block 20 crypto-ransomware families without the use of signatures.
You can find more information about Emsisoft Anti-Malware and behavior blocker here: https://www.emsisoft.com/en/software/antimalware/
HitmanPro: Alert:
HitmanPro: Alert is a great program as well but is designed as a full featured anti-exploit program and is not targeted exclusively at ransomware infections. Alert provides protection from computer vulnerabilities and malware that attempts to steal your data. Unfortunately, because this program has a much broader focus it sometimes needs to be updated as new ransomware is released. As long as you stay on top of the updates, HitmanPro: Alert offers excellent protection.
You can find more information about HitmanPro: Alert here: http://www.surfright.nl/en/alert
Malwarebytes Anti-Ransomware
Malwarebytes Anti-Ransomware is another program that does not rely on signatures or heuristics, but rather by detecting behavior that is consistent with what is seen in ransomware infections. At this point, Malwarebytes Anti-Ransomware is currently in beta, so be careful about using this on a production environment until the kinks are worked out.
You can download and get more information information about Malwarebytes Anti-Ransomware here: https://www.bleepingcomputer.com/download/malwarebytes-anti-ransomware/
Configure Application Whitelisting:
A very secure method of preventing a ransomware, or almost any other malware, infection is to use a method called Application Whitelisting. Application whitelisting is when you lock down Windows so that all executables are denied except for those that you specifically allow to run. Since you are only allowing programs you trust to run, if you are infected the malware executable would not be able to run and thus could not infect you. For those who are interested in learning more about application whitelisting, you can view this tutorial: How to create an Application Whitelist Policy in Windows.
Use Software Restriction Policies to block executables in certain file locations:
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific file locations. For more information on how to configure Software Restriction Policies, please see these articles from MS:
http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
The file paths that have been used by this infection and its droppers are:
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
%Temp%
C:\Windows
In order to block CryptXXX, and other ransomware, you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually using the Local Security Policy Editor or the Group Policy Editor. Both methods are described below.
How to use the CryptoPrevent Tool:
FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed above to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptXXX, and other ransomware, from being executed in the first place. This tool is also able to set these policies in all versions of Windows, including the Home versions.
A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %AppData% / %LocalAppData% before you press the Block button.
You can download CryptoPrevent from the following page:
For more information on how to use the tool, please see this page:
Once you run the program, simply click on the Apply Protection button to add the default Software Restriction Policies to your computer. If you wish to customize the settings, then please review the checkboxes and change them as necessary. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.
How to manually create Software Restriction Policies to block CryptXXX:
In order to manually create the Software Restriction Policies you need to be using Windows Professional or Windows Server. If you want to set these policies for a particular computer you can use the Local Security Policy Editor. If you wish to set these policies for the entire domain, then you need to use the Group Policy Editor. Unfortunately, if you are a Windows Home user, the Local Policy Editor is not available and you should use the CryptoPrevent tool instead to set these policies. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.
Once you open the Local Security Policy Editor, you will see a screen similar to the one below.
Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this click on the Action button and select New Software Restriction Policies. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule.... You should then add a Path Rule for each of the items listed below.
If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.
Block executables in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.Block executables in %AppData%\[subfolder]\
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.Block executables in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.Block executables running from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.Block executables running from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.Block executables running from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.Block executables running from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
You can see an event log entry and alert showing an executable being blocked:
If you need help configuring this, feel free to ask in the CryptXXX Support Topic
How to allow specific applications to run when using Software Restriction Policies
If you use Software Restriction Policies, or CryptoPrevent, to block CryptXXX you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.
Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.