ESET Crysis decryptor to rescue files encrypted by the Crysis ransomware

ESET security firm has included master decryption keys into a decryption tool that allows rescuing the encrypted files without paying the ransom.

Good news for the victims of the Crysis ransomware, ESET security firm has included master decryption keys into a tool that allows rescuing the encrypted files.

The decryption keys for the CrySis ransomware were posted online on the forum by a user known as crss7777 who shared a link to a C header file containing the actual master decryption keys and information on how to utilize them.

“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” wrote Lawrence Abrams from BleepingComputer.

“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”


Lawrence Abrams speculates the user crss7777 could be a member of the development team.

“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” said Abrams.

“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

The CrySis ransomware was first spotted in February by ESET, it has infected systems mostly in Russia, Japan, South and North Korea, and Brazil.

The malware spreads via email attachments with double file extensions or via malicious links embedded in spam emails.

The ransomware is able to encrypt more than 200 file types searching for them on internal and external storage, and network shares, and deleting backup shadow files.

The CrySis ransomware appends the .xtbl extension to the encrypted files, the files are renamed following the following format [filename].id-[id].[email_address].xtbl.

In June the experts observed a peak in the number of infections, likely due to the dead of TeslaCrypt.

Security experts observed that in Australia and New Zealand the Crysis ransomware was targeted businesses exploiting remote desktop connections and compromising routers to re-infect cleaned up computers.

“Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February this year, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.” reported Trend Micro in a blog post.

It is not clear why crooks dropped the decryption keys, likely they tried to ease the pressure of law enforcement that were trying to identify the operators behind the malware.

ESET has included the decryption keys in a free tool,  ESET Crysis decryptor, and published instructions to use it.

Pierluigi Paganini

[adrotate banner=”22″]

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase