CryptON, also known as Nemesis or X3M, targets servers running Windows OS and is distributed and executed manually via Remote Desktop Protocol (RDP) brute force attacks. CryptON does not contain a file extension list so it encrypts any and all file types it finds on the infected server. It does, however, exclude C:\Windows, C:\Program Files, and the user profile folder to avoid impacting the boot operation and other critical system processes. CryptON deletes system recovery points to prevent victims from restoring files without paying the ransom. According to Emsisoft’s analysis team, files encrypted by CryptON are 16 bytes larger than the original file and append the following extensions to the file names:

  • .id-<id>_locked
  • .id-<id>_locked_by_krec
  • .id-<id>_locked_by_perfect
  • .id-<id>_x3m
  • .id-<id>_r9oj
  • .id-<id>
  • .id-<id>_steaveiwalker@india.com_
  • .id-<id>
  • .id-<id>_tom.cruz@india.com_
  • .id-<id>_CarlosBoltehero@india.com_
  • .id-<id>_maria.lopez1@india.com_

  • Emsisoft provides more information about CryptON here.
  • Emsisoft provides a free decryption tool for CryptON here.