Free decryptor released for GetCrypt ransomware that spreads through RIG exploit kit

• GetCrypt uses a combo of Salsa20 and RSA-4096 algorithms to encrypt the victim’s files.
• While encrypting, it appends a random 4 character extension to the infected files.

Users infected by GetCrypt ransomware can now retrieve their encrypted files without paying a ransom. It is possible through a decryptor that has been released by security researchers.

What is GetCrypt ransomware?

GetCrypt is a new ransomware that is distributed via RIG exploit kit. The ransomware was discovered by a researcher nao_sec. The researcher found the malware being used in Popcash malvertising campaigns and alerted BleepingComputer.

When the exploit kit executes the ransomware, GetCrypt first checks if the Windows is set to Ukrainian, Belarusian, Russian or Kazakh language. If it finds the system with any of these languages, then the ransomware will terminate and not encrypt the computer.

What are its capabilities?

GetCrypt uses a combo of Salsa20 and RSA-4096 algorithms to encrypt the victim’s files. While encrypting, it appends a random 4 character extension to the infected files.

Later, it drops a ransom note named ‘decrypt my files #.txt’ in each folder to guide a victim with the payment process. The ransom note advises the victim to contact getcrypt@cock[.]li for payment instructions.

During the infection process, the ransomware also changes the desktop background to a random image which is stored at %LocalAppData%\Tempdesk.bmp.

What is the solution?

Emsisoft security researchers have released a free decryptor for the GetCrypt ransomware. The victims are required to retain the original unencrypted copy of the files that have been encrypted before initiating the decryption process.