{"id":10359,"date":"2018-02-09T10:36:01","date_gmt":"2018-02-09T15:36:01","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/cryakl-decrypted-for-good\/10359\/"},"modified":"2020-02-26T19:00:05","modified_gmt":"2020-02-26T15:00:05","slug":"cryakl-decrypted-for-good","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cryakl-decrypted-for-good\/10359\/","title":{"rendered":"Cryakl\/Fantomas victims rescued by new decryptor"},"content":{"rendered":"<p>The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files <a href=\"https:\/\/securelist.com\/threats\/encryptor-glossary\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">encrypted<\/a> with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the <a href=\"http:\/\/www.nomoreransom.org\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">project\u2019s website<\/a>.<\/p>\n<p><a href=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2018\/03\/nomoreransom-featured.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-10360\" src=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2018\/03\/nomoreransom-featured.jpg\" alt=\"How to decrypt files encrypted by the Shade ransomware\" width=\"1280\" height=\"840\"><\/a><\/p>\n<h2>What is Cryakl?<\/h2>\n<p>The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners\u2019 association.<\/p>\n<p>When encrypting files on a victim\u2019s computer, Cryakl creates a long key that it sends to a command-and-control C&amp;C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"9c2dDO4E1E\"><p><a href=\"https:\/\/www.kaspersky.com\/blog\/ransomware-blocker-to-cryptor\/12435\/\" target=\"_blank\" rel=\"noopener nofollow\">Ransomware\u2019s history and evolution in facts and figures<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"\u201cRansomware\u2019s history and evolution in facts and figures\u201d \u2014 Daily - English - Global - blog.kaspersky.com\" src=\"https:\/\/www.kaspersky.com\/blog\/ransomware-blocker-to-cryptor\/12435\/embed\/#?secret=PGawDbated#?secret=9c2dDO4E1E\" data-secret=\"9c2dDO4E1E\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<h3>Success story<\/h3>\n<p>As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&amp;C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&amp;C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.<\/p>\n<p>The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"gYWFalGcDH\"><p><a href=\"https:\/\/www.kaspersky.com\/blog\/no-more-ransom-first-anniversary\/17791\/\" target=\"_blank\" rel=\"noopener nofollow\">No More Ransom: A very productive year<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"\u201cNo More Ransom: A very productive year\u201d \u2014 Daily - English - Global - blog.kaspersky.com\" src=\"https:\/\/www.kaspersky.com\/blog\/no-more-ransom-first-anniversary\/17791\/embed\/#?secret=b0TDHGtTB2#?secret=gYWFalGcDH\" data-secret=\"gYWFalGcDH\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<h3>How to rescue files encrypted by Cryakl ransomware<\/h3>\n<p>The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at <a href=\"https:\/\/www.nomoreransom.org\/en\/decryption-tools.html#Cryakl\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">NoMoreRansom.org<\/a>, and get decryption instructions <a href=\"https:\/\/support.kaspersky.com\/viruses\/disinfection\/8547#block1\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">here<\/a>.<\/p>\n<p>We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available <a href=\"https:\/\/support.kaspersky.com\/viruses\/disinfection\/10556#block2\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.<\/p>\n<h3>How to stay safe in the future<\/h3>\n<p>When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it\u2019s better to secure yourself now and sleep easy than to mess around with file decryption. We\u2019d like to share a few preemptive file protection tips:<\/p>\n<p>1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-backup\/18914\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">here<\/a>.<\/p>\n<p>2. Use reliable AV software. Some security solutions \u2014 for example, <a href=\"https:\/\/www.kaspersky.com\/advert\/total-security-multi-device?redef=1&amp;THRU&amp;reseller=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____ktsmd___\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kaspersky Total Security<\/a> \u2014 can also assist with file backup.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kts-trial\">\n<p>3. Don\u2019t download programs from suspicious sources. Their installers might contain something you\u2019d rather not have on your computer.<\/p>\n<p>4. Don\u2019t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization\u2019s official website and call to check.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Belgian police and Kaspersky Lab obtain decryption keys for files hit by Cryakl.<\/p>\n","protected":false},"author":2484,"featured_media":10360,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[1660,1201,1661,1214,742,433,521,692],"class_list":{"0":"post-10359","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-cryakl","10":"tag-cryptors","11":"tag-fantomas","12":"tag-nomoreransom","13":"tag-police","14":"tag-ransomware","15":"tag-threats","16":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cryakl-decrypted-for-good\/10359\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cryakl-decrypted-for-good\/12509\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/cryakl-decrypted-for-good\/5639\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cryakl-decrypted-for-good\/14653\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cryakl-decrypted-for-good\/12945\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cryakl-decrypted-for-good\/12452\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cryakl-decrypted-for-good\/15298\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cryakl-decrypted-for-good\/15024\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cryakl-decrypted-for-good\/19630\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cryakl-decrypted-for-good\/4725\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cryakl-decrypted-for-good\/21129\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/cryakl-decrypted-for-good\/8924\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cryakl-decrypted-for-good\/15873\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/cryakl-decrypted-for-good\/9348\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/cryakl-decrypted-for-good\/19532\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cryakl-decrypted-for-good\/19579\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cryakl-decrypted-for-good\/19581\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ransomware\/","name":"ransomware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2484"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10359"}],"version-history":[{"count":6,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10359\/revisions"}],"predecessor-version":[{"id":16048,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10359\/revisions\/16048"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10360"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}