Crysis ransomware master keys posted to Pastebin

Some days, you get lucky. Maybe you’ve got a bit of technical savvy, or maybe you can get help from a friend who can help you get untangled from ransomware without paying up.

Then there are the less-lucky days: like when your files are caught in a chokehold by one of the most recent file-encrypting ransomware variants, like CryptoLocker, CryptoWall, TeslaCrypt, or the most recent, WannaCry.

On such luckless days, you have to decide whether to pay up or give up: a question regarding which Sophos has mostly taken a neutral stance. After all, some organizations, such as hospitals, can feel like they simply have no choice.

But then there those most rare of ransomware days: the days when you’re graced, for whatever reason, with a get-out-of-jail free card for your encrypted files.

Today is one of those days: if you haven’t already deleted files that crooks encrypted with the Crysis ransomware, you’re in luck. Here’s a bonus: the keys can also be used to decrypt files encrypted with .wallet and .onion extensions.

A member of BleepingComputer.com forums named lightsentinelone has posted a Pastebin link that leads to a C header file with 198 decryption keys. According to BleepingComputer, the keys have been confirmed as valid. Security researchers have used them to create a Wallet Ransomware decryptor.

He or she didn’t give a rationale, but did include this jovial message:

Enjoy!

This isn’t the first time we’ve seen ransomware keys released. A year ago, the TeslaCrypt ransomware gang did the same thing.

Then too, in July 2016, the operators behind the Petya and Mischa double-pack of ransomware trouble skewered a rival gang by releasing about 3,500 RSA private keys for Chimera.

Keys for Dharma, based on Crysis, first appeared in November 2016, and the keys were released in March.

Of course, just like with earlier key releases, this latest one isn’t going to be joyous for all victims. It’s good news only for those who’ve been hit recently and who haven’t yet paid up, or victims who backed up their already-encrypted data just in case.

We can only conjecture as to the motivations behind key release. Fellow Naked Security writer Paul Ducklin came up with this list of possibilities with an earlier key release:

  • The crooks are genuinely sorry, and have retired in a fit of conscience.
  • The crooks were hacked by another gang, who spilled the master key to ruin their rivals’ business.
  • The crooks have switched their time and effort to newer ransomware.
  • The crooks have made so much money that they want to retire in a media-friendly way before they get caught.

Then too, there’s the gang war possibility: do it as a way to pull the rug out from under the competition!

Researchers at security firm ESET say that this is the third Crysis key release we’ve seen. ZDNet quoted them:

This has become a habit of the Crysis operators lately—with this being the third time keys were released in this manner. Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.

ESET has taken the latest Crysis keys and created a decryption tool that you can download here.