Introduction: I Have Ransom-ware! CryptXXX File Recovery

By www.youtube.com/channel/UCSlZS11
About: My brain is a Raspberry Pi and I eat only micro ATX motherboards, occasionally munching on open-source software like Blender as a snack.

It's about time someone actually wrote a detailed webpage on CryptXXX, keep in mind that if you're reading this in the future, the article was written May 21st 2016 in the afternoon. To my knowledge we only have an A and B variant, but I will try to update this as new variants come out.

What is CryptXXX?

It's a form of ransom-ware, which encrypts all your files and forces you to pay to get them back. CryptXXX has been identified on many computers the past few months, and will do all of the following:

  1. Encrypt your data with RSA-2048 (Using a public and private key)
  2. Deletes all shadow copies of your files (you probably can't use Windows Recovery to get your stuff)
  3. Sends your files to the ransom-ware developers (THIS INCLUDES ALL INFORMATION!!!)
  4. Changes the end off all encrypted files to .crypt
  5. Places a file on the desktop and in every infected directory listing all encrypted files
  6. Changes your desktop background to the text shown above

If you see the above image on your desktop, you got CryptXXX.

The exact contents vary based upon your region, but regardless are the same for both the A and B variant. This article is showing how to get rid of both and get your stuff back (without paying).

Step 1: Back Up EVERYTHING (if You Can)

Regardless of your PC being infected, use whatever means you can to backup your encrypted files. Just in case something goes terribly wrong, try to get all important files onto an external storage device. This means that you can use the same tactics that are to be explained to recover your information from the backup if the original encrypted file is lost.

This also means that if a C variant is released, you're sure that nothing is lost in case of the C variant having a deletion payload.

Step 2: Change All Sensitive Information

As I write this a friend of mine was infected. This was his home computer where online transactions were made and where 40 gigabytes of photos were stored.

Who knows what's in there and what's on your PC, nobody needs your credit card number or pictures that relate to your home and life. Go to every account you have as soon as possible and change your info!

  1. Change your credit card information
  2. Call your bank and check your summary for suspicious activity
  3. Change your passwords on Facebook, Amazon, Ebay, everything!
  4. If you had any extremely sensitive information on your PC (secret locations/illegal content) make sure that you take all possible preparations to save yourself.
  5. Let close friends know just in case, if they used your PC or if you had information relating to them, they can be victims too!
  6. If it is really bad, purchase identity theft protection and get a new card/bank. It's best to start off fresh if you've been an extreme victim.

Step 3: Install Antivirus on All Computers in Your Home!

Install MalwareBytes first of all, and while your at it get an antivirus.

Use any of the following or multiple:

  1. COMODO
  2. Kaspersky
  3. HitMan
  4. AVG
  5. Avast
  6. McAfee
  7. Any reputable Windows Antivirus

Step 4: Old Method (Next Step for New)

Use the old method if the next step doesn't work. This old method is designed for the A variant, but may work with the B variant.

This requires the following:

  1. A non-encrypted copy of any file on the infected machine
    1. Try to re-download files you got from the internet that are now encrypted
    2. If you have software on your computer that is encrypted, try to install it on another computer and grab a shared file from there.
    3. Any documents you have backed up to an online service or flash drive
  2. The corresponding encrypted file on the infected machine
  3. This software provided by Kaspersky: http://media.kaspersky.com/utilities/VirusUtilitie...

You may wonder how to download the software since your browsers may not launch, but IE is still usable. CryptXXX currently does not infect the files necessary to launch IE, this is most likely so you can use IE to buy bitcoin and pay the ransom. No websites are blocked to my knowledge by the virus, so you shouldn't run into problems.

From here, the software will launch and you can change parameters:

  1. Enable all drive types that are encrypted (any flash/network drives attached during encryption can be affected)
  2. DISABLE delete all encrypted files after decryption (just in case something goes wrong and the un-encrypted files are unusable)

Start the scan and point the software to the non-encrypted file from before. It will compare this file to the encrypted file and use that to create the same private key used to encrypt the file.

Keep in mind the larger the file you feed the software, the more files you have that will be decrypted. Try to get the largest file you can (if you have a video this is great because of the large file size).

Step 5: New Method

For variant B, you really should use this method.

This does not need a non-encrypted file to save your work, so simply install the tool and perform any necessary actions it needs.

Download: http://media.kaspersky.com/utilities/VirusUtilitie...

It's useful to refer to here if you have issues:

https://support.kaspersky.com/viruses/disinfection...

This will take a little longer in most cases, but if a C variant of the virus is released, it may not work.

Step 6: Misc. Information

What files does CryptXXX infect?

These are the file types I know of: .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Do I really have to change all my information in real life?

It's better safe than sorry, especially if you have bank information or anything a peeping Tom would want to share. Any web information and passwords were also stolen, so immediately change everything. Tell everyone who's used the computer, if you have kids let them know (you don't need your 13 year old's location and intimate details in the hands of who knows who).

The tool didn't work! What do I do now?

I'm going to be honest, do as much web research as you can and see if another solution is found.

If that doesn't work and you absolutely need your data back, it's best to pay the price. One bitcoin is currently $400 USD, so don't give up if you don't have to.

How did I get this?

CryptXXX is only known to come from email scams. Something like a fake FedEx or USPS notification about a package not being delivered or being delayed. DON'T fall for these! Check the email address! If you didn't do anything with the sender, or the email is clearly fake (ex. fedexcustomersuport@aroura33.net), don't even bother! Never download something from an email unless you know who it's from and why it's there (also check for catchy headlines and evident grammar issues).