unlock

Update 10/6/22: The article originally referred to this family as Hades based on the reference in Avast's articl​e and confusion with another ransomware family.

Avast has released a decryptor for variants of the MafiaWare666 ransomware known as 'Jcrypt', 'RIP Lmao', and 'BrutusptCrypt,' allowing victims to recover their files for free.

The security company says it discovered a flaw in the encryption scheme of the MafiaWare666 strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system.

Utilizing Avast's tool, victims of the supported ransomware variants can decrypt and access their files again without paying a ransom to the attackers, which ranges between $50 and $300. However, ransom demands reached tens of thousands in some cases.

Message seen by MafiaWare666 victims
Message seen by MafiaWare666 victims (Avast)

It should be noted that Avast states that MafiaWare666 also called 'Hades,' which is not the same as the Hades ransomware used by Evil Corp in an attack on ForwardAir.

The ransomware family targeted by this encryptor is a lower-level operation that did not perform data theft and double-extortion attacks.

Using the MafiaWare666 decryptor

The Avast decryptor only supports files encrypted by specific variants of the MafiaWare666 ransomware family. These variants include the following extensions and strings appended/prepended to an encrypted file's name:

  • .MafiaWare666
  • .jcrypt
  • .brutusptCrypt
  • .bmcrypt
  • .cyberone
  • .l33ch

If you were affected by one of these variants, you can download the free decryptor from here, run the executable, select the drive that holds the encrypted files, and point the tool to a sample pair of encrypted and original files.

Add file pair and password

Those who possess a valid password for decrypting the files but couldn't get the decryptor supplied by MafiaWare666 to work can tick the box and provide it onto Avast's tool.

Most victims don't have a password, so they will have to wait for Avast's tool to crack it manually, which may take some time.

Cracking the password

After the password is found, the users can initiate the decryption process. At this stage, it is highly recommended to tick the boxes to back up the encrypted files and run the tool as an administrator.

Final decryption step

It is important to stress that you should enable the option to back up encrypted files, as if there is a problem with the decryptor, the encrypted files can become further corrupted.

For a step-by-step guide on using the decryptor, you can read Avast's blog post.

Related Articles:

New ShrinkLocker ransomware decryptor recovers BitLocker password

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack

Critical Veeam RCE bug now used in Frag ransomware attacks