A new ransomware family called Crypt38 uses a simple encryption routine that allowed Fortinet researchers to reverse engineer the process and find a method of unlocking files.
Named Crypt38 because it appends the .crypt38 extension to all encrypted files, this ransomware’s infection method is currently unknown.
What we know is that the ransomware seems to be targeting only Russian users at the moment, and based on the simplistic encryption routine and low ransom demand, it may be in the testing phase, and users might get to see a much more powerful version in the upcoming future.
Crypt38 ransomware only asks for $15
Right now, the ransomware only asks for 1,000 Rubles (~$15) and doesn’t require users to access a decryption website. To unlock files, infected users only have to send an email to the ransomware’s author, which will reply with payment details and decryption details.
that during the infection process, the ransomware generates a 12-digit random number to identify each user.
It then takes this ID, runs it through a mathematical operation, appends “6551” at the end of the result and uses the final number as the encryption key.
Simple symmetric encryption process doomed the ransomware’s chances of success
The problem is that the ransomware’s author didn’t use an asymmetric encryption, opting for a symmetric algorithm. This means the encryption key is also the decryption key.
Since Fortinet researchers managed to crack the encryption routine, they say that by taking a look at each victim’s ID number, they could compute the encryption/decryption key.
The good part is that for each user, the ransomware shows the victim ID on the screen, in the ransom note, which means all the details to decrypt user files are out in the open.
Since Fortinet hasn’t provided a publicly available decrypter, at this moment, infected users should try to get in contact with the company in order to recover their files.