Break-fix call on a CrySiS Ransomware infection. It’s actually not CrySiS, but a fork of it, which is not decryptable at this time. CrySiS shut down its operation a month or so ago and dumped the master encryption key so victims could decrypt their files. Not so much with this variant.
After infection, it drops a JPEG file in the user’s folder C:UsersVictimINFORMATION HOoW TO DECRYYPT FILES.jpg.
It encrypts files and renames them with .[stopper@india.com].wallet
It drops a file on the desktop named STOPPER.txt:
Attentiion!!! All your filess are encrypted! To decrypt your files, please contact us by email:stopper@india.com
The method of infection was from unauthorized access (brute-force) RDP connection.
It also drops AnonCrpt.exe on the desktop, 274KB file size; A quick analysis from VirusTotal shows the results below:
As mentioned earlier, there is not a way to decrypt this currently.
Stay safe.
