back to article Kaspersky cracks CryptXXX, throws lifeline to ransomware victims

Kaspersky has announced it's decrypted yet another crypto-extortion racket. Writing here, the company's John Snow says Kaspersky bods can now untangle data after a CryptXXX attack. CryptXXX was described in mid-April by Proofpoint, which said it came from the authors of Reveton and was spreading thanks to its inclusion in the …

  1. Jimbo in Thailand
    Black Helicopters

    Hmmm... a little ironic!

    Just thinkin' out loud... Don't most ransomware attacks come from Russia and isn't Kaspersky Lab from Russia? Could there be a connection?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm... a little ironic!

      The connection is that Russia, as a direct result of being resource starved by US embargoes, went on to be FAR more intelligent and efficient in programming (if you want an example of resource wasteful code for comparison, try US developed Windows) so you need people from the same region just to get into the tight code.

      Kaspersky is a remarkably clean company for one that has grown in Russia, so no, I don't think they're in cahoots with criminals.

      1. irwincur

        Re: Hmmm... a little ironic!

        That's all really funny.

  2. Phil Kingston

    Not *that* John Snow, surely?

    1. mt_head

      You know nothing.

    2. Ol' Grumpy
      Coat

      Nah - he's nowhere near as "holey" as *that* John Snow ;)

  3. DropBear
    Trollface

    So, if one pays the ransom, does the malware return any bitcoin it has stolen too? Or if it managed to steal enough, does it start decrypting automatically? Crucial informations missing in the article - I'm so confused...

  4. Tannin

    There is only one John Snow

    But surely there is only one John Snow. He took 4/94 in his Ashes debut at Old Trafford, and destroyed a very strong Australian side at the SCG taking 7/40, including master batsmen in Redpath, Stackpole, and both Chappells. Accept no imitations.

    1. hplasm
      Coat

      Re: There is only one John Snow

      But surely there is only one John Snow- he reads the news...

      1. 's water music

        Re: There is only one John Snow

        But surely there is only one John Snow- he reads the news...

        Statistically, probably several. There is also one (and probably only one) Jon Snow who reads it on the telly

        1. Anonymous Coward
          Anonymous Coward

          Re: There is only one John Snow

          There is also one (and probably only one) Jon Snow who reads it on the telly

          That has gotten progressively harder to do. The new LCDs are very difficult to sit on.

  5. Cynic_999 Silver badge

    Hmmm - RSA4096 wasn't difficult to crack? Maybe the FBI should hire Kaspersky the next time it has a bit of evidence that needs decrypting ...

    1. Coen Dijkgraaf

      RSA4096 wasn't difficult to crack?

      The article at Kaspersky actually says "Fortunately, CryptXXX turned out to be not that difficult to crack".

      However it seems to depend on you being able to give it a copy of one of the encrypted files before it was encrypted and the bigger the file the better. "The bigger file you’ve feed to the utility — the more files would be decrypted." So it sounds like they must have used a small key that could be brute forced.

      1. patrickstar

        Re: RSA4096 wasn't difficult to crack?

        Educated guess: The actual file encryption is done with some stream cipher, with the same key for all files. (That key would in turn be encrypted with RSA using the public key and sent to the attacker, which presumably holds the private key - the specific details won't matter here as the attack isn't against the asymmetric part)

        So if you simply XOR the plaintext file with the encrypted version, you get the keystream. XOR that with any encrypted file up to that size and you get the plaintext.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021