CryptInfinite or DecryptorMax Ransomware Decrypted

Share this…

We have received a lot of reports about a new ransomware that we are calling CryptInfinite based on the Windows Registry key created by this ransomware.  Other sites have also been calling this ransomware DecryptorMax due to a hard coded string found inside the ransomware executable. At first glance this ransomware looked secure, but on further inspection by Fabian Wosar of Emisoft it was discovered that it is possible to decrypt the files without paying for the ransom. With this in mind, Fabian has released a utility called DecryptInfinite that can be used to decrypt files encrypted by the CryptInfinite Ransomware. A dedicated support topic for this ransomware and to provide assistance decrypting the files can be found here: DecryptorMax or CryptInfinite Ransomware, .CRINF extension Support Topic.

This ransomware is spreading through e-mail attachments that pretend to be resumes for job applications. A user will know they are infected by the CryptInfinate Ransomware as they will not be able to open their documents and their data files will have a.crinf extension appended to the end of an encrypted file.  Furthermore, every folder that contains an encrypted file will also contain a ransom note called ReadDecryptFilesHere.txt. This ransom note explains that they have 24 hours to send a PayPal MyCash voucher code to the email address of the malware developer. This known email addresses associated with this ransomware are silasw9pa@yahoo.co.uk, decryptor171@mail2tor.com, and decryptor171@scramble.io.

If you are infected with this malware, simply download decrypt_cryptinfinite.exe from the following link and save it on your desktop:

img
DECRYPTINFINITE DOWNLOAD
DOWNLOAD NOW

In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_cryptinfinite.exe icon at the same time.  So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable.  If you do not have an an original version of one of your encrypted files, in our tests you can use a encrypted PNG file and any other unencrypted PNG file that you get off of the Internet and drag them together onto the decrypt_cryptinfinite.exe icon.  Once you determine the key used to encrypt one of your files, you can then use that key to decrypt ALL other files on your computer.

To show what I mean about dragging both files at the same time, see the example below. To create the key, I created a folder that contains an encrypted PNG file, a totally different valid PNG file, and the decrypt_cryptinfinite.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.

How to drag the files onto the Decrypter
How to drag the files onto the Decrypter

When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed. 
 

UAC Prompt
UAC Prompt

You will now be at a screen asking you to choose the email addresses that were given in the ransomware’s ransom note. Please select the option that contains the associated email addresses for your infection.
 

Once you make the section, the program begin the brute force process where DecryptInfinite tries to retrieve your decryption key.  Please note that this process can take quite a while to finish, so please be patient.

Brute Forcing the Decryption Key
Brute Forcing the Decryption Key

When a key was able to be brute forced, it will display it an a new window like the one below. Please write down this key in the event you need it again in the future.
 

Decryption Key Found
Decryption Key Found

To start decrypting your files with this key, please click on the OK button.  You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main DecryptInfinite screen that displays all the encrypted files that were listed in the Registry.

DecryptCryptInfinite Screen listing Encrypted Files
DecryptInfinite Screen listing Encrypted Files

Look through the list of encrypted files and if it appears that they are all there, then click on the Decrypt button. If there are files missing, you can click on the Add Folder button to add other folders that contain encrypted files.  Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin the decryption process.  Once you click Decrypt, DecryptInfinite will decrypt all the encrypted files and display the decryption status in a results screen like the one below.

Decryption Results
Decryption Results

All of your files should now be decrypted.

For those who wish to know more technical information about this ransomware, you can read the section below.  As already stated, we have created a dedicated forum topic to support the CryptInfinite Ransomware and to provide assistance with using this tool. This support topic can be found here: DecryptorMax or CryptInfinite Ransomware, .CRINF extension Support Topic

Technical Information

This ransomware is currently going by the names DecryptorMax and CryptInfinite depending on the site you visit.  Some sites call it DecryptorMax due to a string hard coded in the executable, while we and other sites are calling it CryptInfinite due to the name of the Registry keys it makes. This ransomware is being spread through emails that contains Word document pretending to be job resumes for a job posted on Craig’s List. An example of what this Word document looks like can be seen below:

Malicious Word Document - Click to see full sized image
Malicious Word Document – Click to see full sized image

These word documents contain password protected and obfuscated macros that download a file from a remote site and save it to the user’s %AppData% folder as the file name XBMGERoOjZX.exe. This file is then executed and eventually downloads and installs the CryptInfinite ransomware application. A screenshot of the obfuscated macro can be seen below.

Obfuscated Word Macro
Obfuscated Word Macro

When the CryptInfinite ransomware is executed it create a unique ID associated with the victim, copies the executable to %UserProfile%, and names the file the same as this ID. For example, if the victim’s unique ID is test-ADBFFA-G131, then the filename will be named test-ADBFFA-G131.exe.

The malware will then execute the following commands to delete all Shadow Volume Copies and disable Windows Startup Repair. These commands require Administrative privileges so you will be shown a UAC, or User Account Control, prompting if you wish to allow vssadmin.exe to execute.

cmd.exe /k vssadmin.exe Delete Shadows /All /Quiet
cmd.exe /k bcdedit.exe /set {default} recoveryenabled No
cmd.exe /k bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The ransomware will also attempt to terminate common apps that are used for malware analysis.

TASKKILL /F /IM msconfig.exe
TASKKILL /F /IM rstrui.exe
TASKKILL /F /IM tcpview.exe
TASKKILL /F /IM procexp.exe
TASKKILL /F /IM procmon.exe
TASKKILL /F /IM regmon.exe
TASKKILL /F /IM wireshark.exe
TASKKILL /F /IM LordPE.exe
TASKKILL /F /IM regedit.exe
TASKKILL /F /IM cmd.exe
TASKKILL /F /IM filemon.exe
TASKKILL /F /IM procexp64.exe

CryptInfinite will now scan all drive letters on the machine for data files to encrypt that match the following file extensions:

*.ACCDB, *.BAY, *.DBF, *.DER, *.DNG, *.DOCX, *.DXF, *.ERF, *.INDD, *.MEF, *.MRW, *.ODB, *.ODP, *.PDD, *.PEF, *.PPTM, *.PSD, *.PTX, *.RAW, *.SRF, *.XLK, *.XLS, *.ach, *.aiff, *.arw, *.asf, *.asx, *.avi, *.back, *.backup, *.bak, *.bin, *.blend, *.cdr, *.cer, *.cpp, *.crt, *.crw, *.dat, *.dcr, *.dds, *.des, *.dit, *.doc, *.docm, *.dtd, *.dwg, *.dxg, *.edb, *.eml, *.eps, *.fla, *.flac, *.flvv, *.gif, *.groups, *.hdd, *.hpp, *.iif, *.java, *.kdc, *.key, *.kwm, *.log, *.lua, *.m2ts, *.max, *.mdb, *.mdf, *.mkv, *.mov, *.mpeg, *.mpg, *.msg, *.ndf, *.nef, *.nrw, *.nvram, *.oab, *.obj, *.odc, *.odm, *.ods, *.odt, *.ogg, *.orf, *.ost, *.pab, *.pas, *.pct, *.pdb, *.pdf, *.pem, *.pfx, *.pif, *.png, *.pps, *.ppt, *.pptx, *.prf, *.pst, *.pwm, *.qba, *.qbb, *.qbm, *.qbr, *.qbw, *.qbx, *.qby, *.qcow, *.qcow2, *.qed, *.raf, *.rtf, *.rvt, *.rwl, *.safe, *.sav, *.sql, *.srt, *.srw, *.stm, *.svg, *.swf, *.tex, *.tga, *.thm, *.tlg, *.vbox, *.vdi, *.vhd, *.vhdx, *.vmdk, *.vmsd, *.vmx, *.vmxf, *.vob, *.wav, *.wma, *.wmv, *.wpd, *.wps, .*.xlr, *.xlsb, *.xlsm, *.xlsx, *.yuv,*.JPEG,*.jpe, *.jpg

When the ransomware encrypts a file it will append the .crinf extension to the end of it. During the encryption process, CryptInfinite will exclude any files whose path contain the following strings from being encrypted:

Windows, Program Files, KEY, .crinf

For each file that is encrypts, it will add a Registry value this key: HKCU\Software\CryptInfinite\Files. For example:

HKCU\Software\CryptInfinite\Files\11	C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
HKCU\Software\CryptInfinite\Files\12	C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
HKCU\Software\CryptInfinite\Files\13	C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
HKCU\Software\CryptInfinite\Files\14	C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
HKCU\Software\CryptInfinite\Files\15	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
HKCU\Software\CryptInfinite\Files\16	C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
HKCU\Software\CryptInfinite\Files\17	C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg

It will also add other information about the installation and whether its complete under theHKCU\Software\CryptInfinite Registry key. The full list of registry values/keys made are:

Finally, it will change the desktop wallpaper to C:\Users\z2.bmp, which will also display a ransom note.

HKCU\Software\CryptInfinite
HKCU\Software\CryptInfinite\Files
HKCU\Software\CryptInfinite\Info
HKCU\Software\CryptInfinite\Info\KEY	000000
HKCU\Software\CryptInfinite\Info\1	000000
HKCU\Software\CryptInfinite\Info\c	23
HKCU\Software\CryptInfinite\Info\m	57
HKCU\Software\CryptInfinite\Info\s	21
HKCU\Software\CryptInfinite\Info\Finish	True
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation C:\Users\<login_name>\<id>.exe
HKCU\Control Panel\Desktop\WallpaperStyle	"0"
HKCU\Control Panel\Desktop\Wallpaper	"C:\Users\<login_name>\z2.bmp"

In each folder that encrypts a file it will create a text file ransom note called ReadDecryptFilesHere.txt that contains the following information:

Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm.
The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now
unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $500 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred`s Super Dollar,
Family Dollar and many other stores.
After obtaining your PayPal MyCash voucher code you need to send an email to
silasw9pa@yahoo.co.uk with the following information.
1. Your $500 PayPal MyCash PIN
2. Your encryption ID =
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.

When the infection has finished it will display a user interface for the ransomware which consists of two screens. The first screen contains some basic information about what happened to your files as seen below.

CryptInfinite Ransom Application
CryptInfinite Ransom Application

The second page allows you to check for and see the status of your payment:

Check Payment Screen
Check Payment Screen

If you make a payment and it’s confirmed, it will display a new screen that states you should download a decrypter. The url to this decrypter is hard coded into the executable, but the link does not work anymore. The hardcoded url is: https://github.com/m0nk8/tor/blob/master/DecryptorMAX.exe?raw=true

Finally, the wallpaper is changed to this image:

Wallpaper Ransom Note
Wallpaper Ransom Note

As more information about this ransomware is discovered we will update this first post to reflect the latest information.
 

Files added by CryptInfinite:

%AppData%\XBMGERoOjZX.exe
%UserProfile%\<id>.exe
C:\Users\<login_name>\z2.bmp

Registry keys added by CryptInfinite:

HKCU\Software\CryptInfinite
HKCU\Software\CryptInfinite\Files
HKCU\Software\CryptInfinite\Info
HKCU\Software\CryptInfinite\Info\KEY	000000
HKCU\Software\CryptInfinite\Info\1	000000
HKCU\Software\CryptInfinite\Info\c	23
HKCU\Software\CryptInfinite\Info\m	57
HKCU\Software\CryptInfinite\Info\s	21
HKCU\Software\CryptInfinite\Info\Finish	True
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation C:\Users\<login_name>\<id>.exe
HKCU\Control Panel\Desktop\WallpaperStyle	"0"
HKCU\Control Panel\Desktop\Wallpaper	"C:\Users\<login_name>\z2.bmp"

Source:https://www.bleepingcomputer.com/