<

Decrypting Cryakl 1.4.0.0 / 1.4.1.0 FAIRYTAIL Ransomware

Published on
7,279 Points
479 Views
8 Endorsements
Last Modified:
Approved
Editor's Choice
Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affected by the same strain. CL 1.4.0.0 Fairytail

On December 9, my father asked me to open his computer up so he can connect in while on vacation. It was late and I was feeling a little bit too lazy to build a VPN solution. Instead, I forwarded port 3389 to his computer and enabled Remote Desktop.


As his computer had no password on it, I told him he had to use one. Unfortunately, his first name was not a very strong password. Two days later at 3:00 am, his computer was infected. By morning, everything was encrypted. This was also a very rare situation where his other computer was also turned on, which houses all of his important data. This was also encrypted.


The prognosis did not look good. Everywhere online said its Cryakl, impossible to decrypt. I tried the Rannoh Decrypter that hadn't been updated for about a year and wasn't surprised to see that it didn't work. There were no shadow copies to work with and no recent backups. I began running data recovery software with the hope that I could recover some files. While many pictures were found this way, other important files were not. I was still not satisfied. I took his computers to my house and worked on a small set of files for about a month. I was ultimately able to manually decrypt a file. Then I was able to refine and repeat the process on any file on his computer. I developed a tool to go through any drive or folder recursively and have now managed to decrypt his entire computer.

At this time, it is required to have a file as it existed before encryption. Its encrypted counterpart is also required. These files MUST be a match to work properly. I have built in some checks and balances, but I will not go as far as saying that it's perfect. ALWAYS do a backup of the encrypted data before using this tool. Please take your time and read the instructions. If you mess up the encrypted files, there's a good chance that the data will truly be forever lost.

If any researchers from the big security firms out there would like to know how the decryption works, I am happy to discuss it with you. I did briefly post the solution online but took it down as I did not want to tell the extortionists where to improve.

This tool is for files with filenames that look like this:

email-draggonblack@yahoo.com.ver-CL 1.4.0.0.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail


On a final note, I just want to emphasize this one more time -- BACKUP YOUR FILES BEFORE USING THIS TOOL.


Here is a link to the decryption tool:

https://www.dropbox.com/s/3doqkwpr6hgwua0/Cryakl-Decoder.exe?dl=0


Updated Feb 11, 2018

- Updated interface to include a Job Summary which helps you to know what files and directories the application is set to work with.

- Added a feature to create a signature from the encryption fingerprint of encrypted analysis file. If a different signature is found during decryption, it will not modify the contents of that file. Attempting to decrypt files with different signatures will result in broken files.


For troubleshooting tips and past update details, see the notes at the end of the article.


Screenshots - Click to Enlarge




Troubleshooting Tips


**** If you require support please use the Ask a Question feature of Experts Exchange. Please be sure to include the term "Fairytail" in your question so I can find it easier. This will help keep the comments section clean and will allow me to work with each case in a separate space. If the tool is not decrypting your files properly, you may have a strain that I have not yet seen. Please include with your question a zip file containing your unencrypted original file, its encrypted counterpart and some other sample files that I can test with.


**** If you are having trouble finding an original, unencrypted file, see the tips below:

  • Review the files in your downloads folder. If you think you can download any of those files again, you will have an original file to use.
  • Go through your flash drives and external hard drives that were not connected at the time of infection. You may find a document that can serve as an original file if it was still on your PC and happened to get encrypted.
  • Check to see if the files in "C:\Windows\Media\" are encrypted on your PC. If they are, find the unencrypted file on any other computer with a matching operating system.
  • Log into your email in a web browser and check for sent messages with attachments. It's likely that one of those attachments is encrypted on your computer. This can serve as your unencrypted file. 


Previous Updates

Feb 10, 2018

- Fixed a bug that was leaving bytes 48000-49999 encrypted.

Feb 8, 2018

- Updated technique for parsing the filename structure to automatically handle slight variations
- Fixed a bug when decypting files larger than 2GB and choosing to keep encrypted files.

- When choosing to keep encrypted files, application will now copy the encrypted file into a new file called [original_filename].fairydust. Once that file has been fixed, it is renamed to the original file name.
- When decrypting a single file, you will now see the status dialog appear.
- If a file being decrypted already exists, it will append a timestamp to the end of the file name. This will be useful if you were able to partially restore some files from backup before decryption.

Feb 3, 2018

- Fixed a bug causing problems when choosing not keeping encrypted files

- Fixed a bug resulting from different filename structures that caused a problem decrypting a directory

8
Comment
  • 16
  • 3
  • 2
  • +9
34 Comments
 
LVL 1

Author Comment

by:James-Gourley
A new variant was sent to me today, CL 1.4.1.0. I am happy to say that this tool appears to be successful in decoding that version as well. Of course, please follow all the same precautions and back up your encrypted files first. I had a very small sample of files provided to test with.

Good luck to everyone!
0
 

Expert Comment

by:alex telegaru
i love you !!! thanks thanks thanks
0
 
LVL 1

Author Comment

by:James-Gourley
Note to CL 1.4.1.0 victims: A bug has been identified when decrypting a folder and choosing not to keep encrypted files. It will affect some files recovered that are under 50kb. I am not able to fix the bug at the moment, so please keep the option selected to keep encrypted files after recovery. I will post an update when the bug is resolved.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Expert Comment

by:Augusto Sousa
Hi
I´m trying to use this tool to decrypt a 1.4.1.0 version of Cryakl
However this tool appears not to work properly
I select an infected file, the same one clean and it reports to me te encryption key
I select a folder to decrypt, i choose to keep infected files, i press start decryption and .... just stay frozen and didn´t do anything.
Is there anything i´ve done the wrong way ? is there any "tool" or another program i could have to decrypt the infected files ?

I join 2 files. One with cryakl i´ve been "presented" and the other one that is the same file but not encrypted

 
JPE.DR-2016.pdf

email-blackdragon43-yahoo.com.ver-CL.pdf
0
 
LVL 1

Author Comment

by:James-Gourley
I haven't personally see it freeze up at that stage. What operating system are you running it on? It also requires .NET Framework 4.0 to run, though I don't think the program would launch at all without it.

When you click Start, a second window should open and begin scanning the directory. Does it work to decrypt a single file for you?
0
 

Expert Comment

by:Augusto Sousa
So Sorry !!
i reported your comment by mistake !!! Damn !! So sorry !!

I use Windows 10 .... I have .NET Framework 4.0 ..... and no, i cannot decrypt a single file .... but when i use a encrypted file a the same file without encryption, it gives me the entire Hex code ... so i think it can decrypt it but, as you say, it could be a variant using the file name
0
 
LVL 1

Author Comment

by:James-Gourley
Update for CL 1.4.1.0 Victims: The bug causing problems when choosing not keeping encrypted files has been fixed, You may now choose not to keep encrypted files while you restore you data.

A second issue was found due to a variation in file names. This has now been fixed, so if you were having problems similar to Augusto Sousa, that should be resolved now.
1
 

Expert Comment

by:Augusto Sousa
James ...
Thxs a lot !
Ruling fine !! Extremely fine !! more than 200.000 of 600.000 files restored to original status so far
Will report some more when finished
0
 
LVL 1

Author Comment

by:James-Gourley
Augusto, that is excellent news. Thanks for sharing!
0
 

Expert Comment

by:Rami Rand
Hello, i've been infected with the .fairy tail ransomware, but i don't get how you were able to find a file before encryption?, i have all the data just with encryption form but no prior to it. Is there any way to decrypt the file without the original file?
0
 
LVL 1

Author Comment

by:James-Gourley
The file from before encryption can come from several places. One example would be your Downloads folder. You may have an encrypted file here to which you can easily download the original again, either from the web or in your email inbox. If you go this route though, the files must be an exact match or they will not decrypt files properly. Always back up your encrypted data before using this tool, and test on a small number of files first.
0
 

Expert Comment

by:Arseniy Dugin
Hello,  i've been infected by cryakl 1.4.1.0, I can decrypt single file but I can't decrypt entire folder. It just searching nothing and write "Process Complete"
Files has names like email-hola@all-ransomware.info.ver-CL 1.4.1.0.id-3457440693-07.02.2018 9@58@158254985.fname-filename.docx.fairytail
I tested on 5 PCs with Win10 x64 and Win7 x64 with .NET Framework 4.0 and it work the same way.
0
 
LVL 1

Author Comment

by:James-Gourley
It looks like they've changed the filename structure again around the date. I will have to update the code to accommodate the change. I am a far cry from identifying as a software developer, so unfortunately these little things are all it takes to break the tool. I will update the code and let you know when to try again. I have to do the updates in the evenings as I work during the day, so you'll have to sit tight for a bit. My apologies for your trouble. At least it works to decode single files, so you can breathe a little easier knowing that decryption will be possible.
0
 

Expert Comment

by:Ale Tucci
Thank you a lot for the precious work!
Could  you make something for files bigger than 2gb?
0
 
LVL 1

Author Comment

by:James-Gourley
Hi Ale: To decrypt a file larger than 2GB, you currently have to choose not to keep the encrypted files. I have used the tool to decrypt a backup archive that was over 300GB in size. The difference is that when you choose to keep the file, it must read the entire file, fix it, and write it to a new file. The method in which I read the file in is limited to 2GB. When you choose not to keep the file, the program "fixes" the file in place, and only modifies the encrypted bytes. I hope that helps in the short term and I will try to learn how to read/write the file differently for a future update. I'm going to look at it tonight and should at least have a fix available for Arseniy Dugin. If there is time I will check into the >2GB issue as well.
1
 

Expert Comment

by:Ale Tucci
Thank you James-Gourley!
0
 

Expert Comment

by:Arseniy Dugin
Thanks a lot!
0
 
LVL 1

Author Comment

by:James-Gourley
Updated Decryption Tool Available
I have updated the file linked in the article above to address some bugs that have been reported. As always, back up your encrypted files before using this utility. Enjoy!

Changes:
- I've updated the way the program parses the filename. This should help handle slight variations in the file name automatically.
- When choosing to keep original files, a bug was present that prevented files over 2GB from being decrypted. This method has been updated and will now copy the encrypted file into a new file called [original_filename].fairydust. Once that file has been decrypted, it is renamed to the original file name.
- When decrypting a single file, you will now see the status dialog appear.
- If a file being decrypted already exists, it will append a timestamp to the end of the file name. This will be useful if you were able to partially restore some files from backup before decryption.
2
 

Expert Comment

by:Raul Rend
I have some issues with this tool, i haven't been able to get an original copy of the files before encryption and i have look all over the internet trying to find an alternative but looks like this is the only tool that works with .fairy tail ransomware. There isn't any other way of decrypting the files? Please if someone find something that could help me, i could use some help
0
 
LVL 1

Author Comment

by:James-Gourley
So far, without an original file I have not found a way. Here's a few tricks to finding an original file though: If your C:\Users\[username]\Downloads folder has files inside that are encrypted, see if you can find any of those files to download again from the source and use that as your original file. As a last ditch effort, see if your file "C:\Windows\Media\Alarm01.wav file is encrypted. If so, send it to me and I'll see if mine is a match.
0
 

Expert Comment

by:Raul Rend
There are 2 files that i found i change the .fairy tail one to pdf beacuse the site wont allow .fairy tail. There is the original and the encrypted one
files.zip
0
 
LVL 1

Author Comment

by:James-Gourley
Hi Raul,

Those files do not match. The original file is 152478 bytes and the encrypted file (ignoring the metadata at the end) is 153050 bytes.

Furthermore, the unencrypted data at the end of the file is not the same:
Unencrypted file ends with: /Prev 148336/XRefStm 147710>>..startxref..152296..%%EOF
Encrypted file ends with: endstream.endobj.startxref..116..%%EOF..

Unfortunately, they cannot be used to generate a key to decrypt the other files.
0
 

Expert Comment

by:Raul Rend
So, if i can get two similar files we will be able to decrypt everything?
0
 

Expert Comment

by:Pavel Hruschev
Hi James, new version can handle folder operations but have an issue with decryption. All decrypted files have a portion of garbage in the middle. It was reported by Arseniy but his comment was deleted. Anyway, thank you for this great tool.
0
 
LVL 1

Author Comment

by:James-Gourley
Raul, if you can find a file as it existed before it was encrypted, and the encrypted version of that file, it should be able to be used to decrypt everything.

Pavel, can you send me some of these files that are having difficulties? I would also need an original/encrypted pair from you so I can test with it. I've only ever seen the first 50kb encrypted but there's a chance that they have changed something so that it encrypts more of the file, or different chunks of the file. I will certainly have a look for you.
0
 

Expert Comment

by:Tata Funk
Hi James
I´m having some difficults to decode a .mdb file.
First of all, I don't have the original file because, of course, we've been hacked. Anyway, I've renamed the email-blackdragon43@yahoo.com etc. file to the original one.
The decoder sends the file to an existing directory c:/users/James/desktop
Can you help us?

Screenshot
0
 
LVL 1

Author Comment

by:James-Gourley
You will have to find an original file to determine how the files were encrypted. Next, you have to select the file or directory that you would like to decrypt. Last, click start decryption. Without an original file, this tool will not be able to help unfortunately.
0
 

Expert Comment

by:Tata Funk
What a pitty. We only have the hacked file....
Can you do anything for us? We will be grateful to make a donation...
Thanks anyway
Bests
1
 
LVL 1

Author Comment

by:James-Gourley
All I can suggest is to search around for a file that didn't get encrypted. Check your flash drives, email, etc.

One other possibility is that you can send me your encrypted c:\windows\media\alarm01.wav file, if it is in fact encrypted. If it matches mine, maybe I can make a key out of it
1
 

Expert Comment

by:Pavel Hruschev
James, it's not a new variant, it's the same that was reported by Arseniy 2 days ago with names like email-hola@all-ransomware.info.ver-CL 1.4.1.0.id-3457440693-07.02.2018 9@58@158254985.fname-filename.docx.fairytail. Old version decodes these files perfectly, but one-by-one only. New version decodes them on folder basis but leaves garbage portions in files. I think it's a decoding algorithm problem.
0
 
LVL 1

Author Comment

by:James-Gourley
Note to all victims:

A bug has been fixed that was leaving some encrypted data in the middle of the file. If you have been affected, download the tool again and try again. Please feel free to send me a PM if you find any other bugs, and Ask a Question if you need support.

Thanks Everyone!
1
 

Expert Comment

by:Raul Rend
James you are a Hero man, thanks to you i was able to decrypt most of the data that i have encrypt, thanks so much. I found an old file and i was able to find the key. Thanks very very much 😆😆😆😆
2
 

Expert Comment

by:Arturo Orta
Hi,

   First. I want to thank you so much for this utility. Second, I found a bug. When I try to decrypt a file with a size lesser than 2kb it not decrypt it at all. Can you help us with that? Thanks a lot.
0
 
LVL 1

Author Comment

by:James-Gourley
Hi Arturo Orta, sorry for the delay. I was sick and didn't have the energy to troubleshoot this. Could you private message me some files under 2kb so that I can test? I would need your original file / encrypted file pair to test with as well. I think I know where the problem is but I just don't want to blindly release an update. Thanks for your help and for pointing out the bug.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Join & Write a Comment

Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month