Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

How to properly update Windows to protect your computer from WannaCry

By now, everyone has heard about the WannaCry ransomware attack. So far we have two posts about it: one with a general overview of what happened, and another with advice for businesses. But it’s become clear that not everyone understands how to patch the Windows vulnerability that is exploited by WannaCry, which allows it to travel from one PC to another. So here, we’ll explain what to do and where to find the necessary patches.

How to properly update Windows to protect your computer from WannaCry

1. Find out what version of Windows is running on your computer

First of all, it is important to note that the WannaCry can infect only devices on Windows. If your device runs on macOS, iOS, Android, Linux, or any other operating system, then the malware can’t harm those devices.

Yet, it does pose a serious threat to devices running Windows. But different Windows versions require different patches. So, before installing something, you have to figure out what version of Windows you are running.

To do this:

  • Press the Windows key + R on your keyboard;
  • In the “Run” box that appears on your screen, type winver and click “OK.”

A window showing your Windows version will open.

2. Install the MS17-010 update that patches the vulnerability in Windows

Done with finding out the version? Here are the links to the updates for all of the Windows versions for which it has been released. Note that if you aren’t sure if you use 32-bit or 64-bit version of Windows, you can simply download both patches — one of them will work for you; trying to run the wrong one will bring up an error box but will do no harm.

When you click on the corresponding link, your system will download an executable file with an MSU extension. This is the required update. Simply double-click on the file to run it and follow the instructions of the set-up wizard. After the installation is done, reboot your system. That’s it: The vulnerability will be closed, and WannaCry will not be able to find its way onto your computer that easily.

3. Scan your computer for viruses

It is possible that WannaCry crawled into your computer before you patched the vulnerability. So, just in case, run a virus scan.

If you do not have an antivirus, then you can download a free 30-day trial version of Kaspersky Internet Security. If you already have it, then take the following steps:

  • Make sure the System Watcher module is enabled. To do that, go into the security solution’s settings, select Protection, and ensure that System Watcher is turned on.
  • Run a quick virus scan on your computer. To do that, click Scan in your antivirus solution interface. Then select Quick scan and then Run scan.
  • If the antivirus detects something with Trojan.Win64.EquationDrug.gen in the name, delete the detected file and reboot your computer.

That’s it: You are now protected from WannaCry. Now it’s time to take care of your relatives and friends who do not know how to protect their devices.

Go to Source
Author: Marvin the Robot

Powered by WPeMatico