Cryakl Ransomware
Cryakl (also known as Fantomas) is a ransomware-as-a-service tool targeting users throughout Europe, Russia and Eastern Asia. It was first observed in 2014, it was believed to have been abandoned after its command and control infrastructure was seized in early 2018 by the The Belgian Federal Police (details here)
The investigation discovered that the command and control server was in one a neighbouring country and was able, therefore, to get a warrant, seize the server and call in forensic analysts to retrieve the decryption keys, with Kaspersky providing technical expertise.
Cryakl encodes personal files use AES and RSA encryption algorithms, and demands that users email one of a number of different addresses in order to arrange payment and the delivery of a decryption key (assuming that the criminals behind the ransomware are feeling generous – many simply just take the money).
How to recover files encrypted by Cryakl ransomware
The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.
They recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.
Indicators of Compromise / What To Block
SHA1 File Hashes
- 9e8230008433cb12316daf958b537ad016642600
MD5 File Hashes
- 4a21a8f5404dd5acd0deaee77e420985
Email Addresses
- cryptolocker@aol[.]com
- iizomer@aol[.]com
- seven_Legion2@aol[.]com
- oduvansh@aol[.]com
- ivanivanov34@aol[.]com
- trojanencoder@aol[.]com
- load180@aol[.]com
- moshiax@aol[.]com
- vpupkin3@aol[.]com
- watnik91@aol[.]com
- cryptolocker@aol[.]com_graf1
- cryptolocker@aol[.]com_mod
- byaki_buki@aol[.]com_mod2
- oduvansh@aol[.]com
- cryptolocker@aol[.]com
- cryptolocker@aol[.]com
- byaki_buki@aol[.]com
- [email protected]_grafdrkula@gmail[.]com
- vpupkin3@aol[.]com
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.