DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

Re:

[Bob-Bob Hardyoyo]

May I assume you are one of those folks that believe in the infallibility of Linux? There is already ransomware for Linux, although to the best of my knowledge most of it is in the form of a trojan, and not something that can run by itself or abuses privilege escalation. I use Linux for my daily driver, and thanks to Win 10s privacy shenanigans don't plan to ever go back, but that doesn't mean the shit's perfect. Hell, given the prevalence of linux in the web infrastructure, I could see linux ransomware ha

Nice tool from Emsisoft

[ITRambo]

Apparently, the bad-guy equivalent of script kiddies (or toddlers) put this ransomware out. No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours. A lot of people dodged a bullet here as Emsisoft puts out great software. Kudos to them for offering this tool

Re:

[BLKMGK]

Agree on both counts! Someone made errors and these guys were smart enough and thoughtful enough to break the crypto. Kudos!

Re:

[Darinbob]

You can build the best tools in the world but it's pointless if the user doesn't know how to use them. Encryption is hard, you can just follow a quick README to slap some on. It's like using the handle of a hammer to pound in nails.

Re:

[cfalcon]

> No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours.

No true encryption, eh?

We have no reason to believe it's not real crypto. We have every reason to believe they screwed up their implementation.

Do we need another word? I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show. But as reported it is accurate- you aren't even picking nits, you're a

Re:

[mikael]

There's probably a trade-off between encrypting as many files as possible before the user finds out (favoring simple methods or small block sizes), and encrypting individual files so hard that the user can't decrypt them in a reasonable time (favoring complex methods or large block sizes).

Re:

[uninformedLuddite]

I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show.

At least on TV you get to have a laugh as they use a 320p webcam to catch a reflection from 200 metres away giving them the key to crack the cookie thus saving the planet.

Re:

[Anonymous Coward]

It's the majority not using Linux who are keeping the Linux users safe by being the larger target.

Re:

[gweihir]

Does not help. Linux is making competent people a lot saver, but it will do nothing for incompetent ones, unless they are willing to pay for professional system administration. The difference is that even with professional system administration, Windows remains a problem, while Linux is not. But without it, they are both insecure.

Random .PNG file?

[CanEHdian]

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

Re: Random .PNG file?

[Redmancometh]

The key has to be derived out.

Re:

[kbg]

And why does that need a random .png of the Internet?

Re:

[Anonymous Coward]

I presume because you copy the random PNG onto the infected system (where it is encrypted by the malware) and voila, you have a known sample in enc/dec terms. Maybe there were technical reasons for not having the tool itself deploy the unsullied version.

Re:

[uninformedLuddite]

That sounds like magic to me.

Re:

[AK Marc]

It doesn't. It just needs to be a file that's encrypted and one that's not. You could have the tool generate it's own binary file with random contents, but that's not how the tool was made. The PNG doesn't need to be "on the Internet", it's just that when you have the infected system in Boston, and you are in Chicago, it's easier to have the Boston and Chicago systems access the same file from some public server, than to generate one locally and send it to the other system.

Re:

[Redmancometh]

There are a couple possibilities I can think of.
A) Maybe there is a risk that the PNG you used would already be encrypted, so it says to use an external source.
B) Malware tends to hook common system functions, such as those used to generate data for testing, and the malware author gives his solution just in case. This is particularly true with .net assemblies, as the entire set of addresses for the method table is readily available.
C) Some combination of the 2.

Re:

[Anonymous Coward]

Which they could do from a .PNG file stored in the binary in advance.

Looks to me like an oversight.

[Ungrounded Lightning]

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

I'd guess:
- The authors wrote the tool to use enough of the start of an encrypted/clear file pair to generate / sieve the key and deployed that.
- Some used discovered, after the tool was deployed, that the invariant header of a .png file was long enough that any .png file could function as the "clear" for any encrypted .png (or at least that many unrelated pairs co

Odd way to release a security tool

[Anonymous Coward]

I wondered why the summary has links to articles on Softpedia and Bleeping Computer instead of linking directly to Emsisoft, whose employee wrote the decryption utility. But it seems Emsisoft has dropped the ball, as they have nothing on their home page [emsisoft.com] or their blog [emsisoft.com] or their changelog [emsisoft.com] that mentions this tool. In fact I can't find any reference to this on their site at all [google.com], which makes me suspicious about downloading it.

Both of the articles in the summary point to a link on emsi.at instead of emsisoft.com. Domain registration and name servers point to emsi.at being a legitimate host under the control of Emsisoft, but who knows? What a weird way to release a security tool, with zero announcements on your company website and the download hosted at a URL shortener.

Re:

[campuscodi]

That's why Bitdefender has a huge market share and almost nobody heard of Emsisoft. It's called a marketing department. Remember when Bitdefender cracked Linux.Encoder.1 and provided a shield tool for CryptoWall 4.0? It was everywhere on the Internet.

Re:

[Ungrounded Lightning]

We can only assume they are too cheap, lazy or distracted with other things to keep frequent backups.

Or they think they ARE keeping backups, because they ARE - on a different part of the same disk, using automated processes provided and touted by the vendor - but the ransomware disables the tools and deletes the backups. Oops!

There's a difference between "backups" and "adequate, off-machine, backups".

Source Code

[Fnord666]

The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

They distributed the source code with the ransomware? I'll bet that was handy when it came to reverse engineering it.

Re:

[Ungrounded Lightning]

The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

They distributed the source code with the ransomware?

Or the strings in the source code ended up generating strings in the object code and something like the "strings" tool found them.

CryptInfinite method of infection ..

[nickweller]

How exactly does this ransomware get onto your computer?

Re:

[Anonymous Coward]

For my boss, it was via a resume.doc attachment. We have several jobs posted :-(

This was the low point of 2015 for me (backups several months out of date), so I'm hoping this recovery tool works.

(certainly not logging in so you can make fun of my 5 digit /. id ....)