There has been a lot of discussion today in BleepingComputer's CryptXXX Help topic about victims logging into the ransomware's payment servers and being given their decryption key for free. When users tried these keys, they found that were indeed able to decrypt their encrypted files. Though some have stated that the master key has been released, this is not the case as each person's decryption key has been different and only worked on their own files.

Free Decryption Key

When I researched this further, I discovered that the free keys are only being offered for certain versions of CryptXXX, namely the variants that add the .Crypz and .Cryp1 extensions to encrypted files. All other versions are not receiving the decryption key for free.

At this time it is currently unknown why the payment servers are providing free keys for this variant. It could be that the developers are throwing a bone to their victims, but my guess is that it is a malfunction on their payment server that is causing this. The devs have been known in the past to provide buggy code and decryptable variants, so another error like this would not be hard to imagine.

Below I have put together a list of all the known variants of the CryptXXX ransomware that I had access to. The only known variant that I was not able to test is the one that adds the .cryptz extension. If anyone was infected with that variant, please let me know if the free key is being offered for you.

Keys being offered for Free

.Crypz Extension (UltraDecryptor)

Ransom Note Name: ![victim_id].html

Ransom Note Name: ![victim_id].txt

Example TOR Url: http://xqraoaoaph4d545r.onion.to

Example TOR Url: http://xqraoaoaph4d545r.onion.cab

Example TOR Url: http://xqraoaoaph4d545r.onion.city

.Cryp1 Extension (UltraDecryptor)

Ransom Note Name: ![victim_id].html

Ransom Note Name: ![victim_id].html

Example TOR Url: http://eqyo4fbr5okzaysm.onion.to

Example TOR Url: http://eqyo4fbr5okzaysm.onion.cab

Example TOR Url: http://eqyo4fbr5okzaysm.onion.city

Does Not Provide a Free Key:

.Crypt Extension (UltraDeCrypter)

Ransom Note Name: [victim_id].html

Ransom Note Name: [victim_id].txt

Example TOR Url: http://klgpco2v6jzpca4z.onion.to

Example TOR Url: http://klgpco2v6jzpca4z.onion.cab

Example TOR Url: http://klgpco2v6jzpca4z.onion.city

.Crypt Extension (Google Decryptor)

Ransom Note name: !Recovery_[victim_id].html

Ransom Note name: !Recovery_[victim_id].txt

Example TOR Url: http://2zqnpdpslpnsqzbw.onion.to

Example TOR Url: http://2zqnpdpslpnsqzbw.onion.cab

Example TOR Url: http://2zqnpdpslpnsqzbw.onion.city

Random Extension (UltraDecryptor)

Ransom Note Name: @[victim_id].html

Ransom Note Name: @[victim_id].txt

Example TOR Url: 2mpsasnbq5lwi37r.onion.to

Example TOR Url: 2mpsasnbq5lwi37r.onion.cab

Example TOR Url: 2mpsasnbq5lwi37r.onion.city

No extension (Microsoft Decryptor)

Ransom Note Name: README.html

Ransom Note Name: README.txt

Example TOR Url: http://ccjlwb22w6c22p2k.onion.to

Example TOR Url: http://ccjlwb22w6c22p2k.onion.city

