Crysis first broke onto the scene in June after competitor TeslaCrypt apparently ceased operations and tens of thousands of users began downloading the free decryptor for it.
Detected as Win32/Filecoder.Crysis, the ransomware was able to encrypt files on fixed, removable and network drives using strong encryption algorithms, according to Eset.
“During our research we have seen different approaches to how the malware is spread. In most cases, Crysis ransomware files were distributed as attachments to spam emails, using double file extensions. Using this simple – yet effective – technique, executable files appear as non-executable,” Eset’s security evangelist, Ondrej Kubovic, wrote at the time.
“Another vector used by the attackers has been disguising malicious files as harmless looking installers for various legitimate applications, which they have been distributing via various online locations and shared networks.”
Crysis also achieved persistence by setting registry entries to be executed at every system start.
Eset prepared the free decryptor tool after a user known as ‘crss7777’ dumped the master decryption keys last week in a post on the BleepingComputer.com forums.
“Though the identity of ‘crss7777’ is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” wrote the site’s owner Lawrence Abrams at the time.
“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”
Russian AV firm Kaspersky Lab has also updated its RakhniDecryptor program so it now works for victims of the Crysis ransomware.