[KB6274] Clean a Crysis or Wallet infection using the ESET Crysis decryptor

Issue

  • Your ESET product detected a Win32/Filecoder.Crysis infection
     
  • Decrypt specific variants of your files using the ESETCrysisDecryptor.exe tool
Current variants cannot be decrypted

The latest version of the ESETCrysisDecryptor.exe tool was released in 2017 and does not support the most recent variants of Win32/Filecoder.Crysis. Only files with extensions mentioned below can be decrypted. Once a new tool is released, we will inform in this KB article.

  • Your personal files have become encrypted
     
  • Your files have been renamed with one of the following extensions: .xtbl, .crysis, .crypt, .lock, .crypted, .dharma, .wallet, .onion
     
  • You receive one of the following messages on your computer's desktop background, or in a .txt, .html or .png file:

    - "Attention! Your computer was attacked by virus-encoder.. bitcoin143@india.com"
    - "Your data was encrypted... Do not try to decrypt it - data wil be lost... checksupport@163.com"

    - "To restore information email technical support"
    - "all your data was crypted to get it back write to helphomeless@india.com"

Figure 1-1
 

Click +Details for more information and additional images associated with this ransomware

Details

Win32/Filecoder.Crysis is a trojan that encrypts files on local drives. The user is told they must send information and make a payment using the Bitcoin payment service in order to decrypt their files.

Indicators of compromise

.{%EmailAddress%}.CrySiS
.{%EmailAddress%--%EmailAddress%}.xtbl
.[%EmailAddress%].dharma
.ID%hexnum%.%EmailAddress%.xtbl
.id-%hexnum%.{%EmailAddress%}.crypt
.id-%hexnum%.{%EmailAddress%}.lock
.id-%hexnum%.{%EmailAddress%}.crypted
.[%EmailAddress%].wallet
.[%EmailAddress%].onion

Image gallery

Solution

  1. Download the ESET Crysis decryptor tool version 2.0.4.0 and save the file to your desktop.

    ESETCrysisDecryptor.exe
     
  2. Click StartAll Programs Accessories, right-click Command prompt and then select Run as administrator from the context menu.
    • Windows 8 / 8.1 / 10 users: press the Windows key + Q to search for applications, type Command prompt into the Search field, right-click Command prompt and then select Run as administrator from the context menu.
       
  3. Type the command cd %userprofile%\Desktop (do not replace "userprofile" with your username–type the command exactly as shown) and then press Enter.
     
  4. Type the command ESETCrysisDecryptor.exe and press Enter.
     
  5. Read and agree to the end-user license agreement.
     
  6. Type ESETCrysisDecryptor.exe C: and press Enter to scan the C drive. To scan a different drive replace C: with the applicable drive letter.

CrysisDecryptor Switches

In most cases, running the ESET Crysis decryptor tool as shown in step 6 is the best choice. However, if you are familiar with command line switches, the following switches are available for use with the CrysisDecryptor tool:

  • /s— run the tool in silent mode
  • /d —run the tool in debug mode
  • /h or /?— show usage
  1. The ESET Crysis decryptor tool will run and the "Looking for infected files..." message will be displayed. If an infection is discovered, follow the prompts from the ESET Crysis decryptor tool to clean your system.

Figure 1-2

 

Need Assistance in North America?

If you are a North American ESET customer and need assistance, visit helpus.eset.com to chat with a live technician, view product documentation or schedule a consultation with an ESET Home Advisor.