What is CryptXXX Ransomware

Update: Since this article first appeared there were multiple releases of new versions of CryptXXX Ransomware (UltraCrypter, CryptMIC). There also were several editions of initial virus (CryptXXX V2, V3, V4, V5). New extensions are .crypt1, .crypz or 5 random hexadecimal characters. New versions of CryptXXX can be decrypted using Trend Micro Anti-Ransomware.

CryptXXX is ransomware crypto-virus. It encrypts user personal data with AES CBC 256-bit algorithm and asks for RSA-4096 key. Actually, CryptXXX Ransomware also steals bitcoins stored on the computer if there are any. Virus modifies names and extension of all encrypted files to .crypt, .cryp1 or .crypz, changes desktop wallpaper using de_crypt_readme.bmp (image with black background and white text), creates text file with instructions to pay the ransom (de_crypt_readme.txt), and html file with the same instructions (de_crypt_readme.html). Ransom is about 1.2 BitCoins or $400. CryptXXX Ransomware attacks data on local drives and attached storage devices. Ransomware makes a delay between the moment of infection and the start of encryption, which makes it more difficult to detect. Thanks to specialists from Kaspersky it is rather easy to remove CryptXXX Ransomware virus and decrypt .crypt, .cryp1 or .crypz files. In this article we will explain how.

Here is the content of ransom note:

CryptXXX Ransomware
NOT YOUR LANGUAGE? USE https://translate.qooqle.com
What happened to your files?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: https://en.wikipedia.org/wiki/RSA_(crvptosvstem)
How did this happen?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal id D78*****E87
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. xxxx://rp4roxeuhcf2vgft.onion.to
2. xxxx://rp4roxeuhcf2vgft.onion.cab
3. xxxx://rp4roxeuhcf2vgft.onion.city
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: xxxxs://torproject.org/projects/torbrowser.html.en
2. Video instruction: xxxxs://www.youtube.com/watch?v=NQrUZdsw2hA
3. After a successful installation, run the browser
4. Type in the address bar: http://rp4roxeuhcf2vgft.omon
5. Follow the instructions on the site.


How CryptXXX Ransomware infected your PC

CryptXXX Ransomware attack computers running Windows 10, Windows 8, Windows 7 operating systems. It spreads through spam e-mails with malicious attachments or malicious links. CryptXXX Ransomware can also infect your computer with torrent downloads and game keygens and cracks. After download, it copies main file to %AppData% folder and starts encryption process. These are the file types affected by CryptXXX Ransomware:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Download Removal Tool

Download Removal Tool

To remove CryptXXX Ransomware completely, we recommend you to use Combo Cleaner from RCS LT. It detects and removes all files, folders and registry keys of CryptXXX Ransomware and prevents future infections by similar viruses.

Alternative Removal Tool

Download SpyHunter 5

To remove CryptXXX Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of CryptXXX Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

How to remove CryptXXX Ransomware manually

It is not recommended to remove CryptXXX Ransomware manually, for safer solution use Removal Tools instead.

CryptXXX Ransomware files:


C:\ProgramData\[victim_id].bmp,
C:\ProgramData\[victim_id].html
%AppData%\svchost.exe
%StartupFolder%\[victim_id].lnk
%StartupFolder%\[victim_id]B.lnk
%StartupFolder%\[victim_id]H.lnk
%UserProfile%\Desktop\!Recovery_[victim_id].bmp
%UserProfile%\Desktop\!Recovery_[victim_id].html
%UserProfile%\Desktop\!Recovery_[victim_id].txt
%Temp%\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll
%Temp%\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll
%Temp%\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll
%Temp%\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll

CryptXXX Ransomware registry keys:


HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource "C:\PROGRA~3\[victim_id].bmp"

How to decrypt and restore .crypt, .cryp1 or .crypz files

Use automated decryptors

Decryption Tool 1

kaspersky rannoh decryptor

Ransomware decryptor from Kaspersky may be useful in this case. It is free and easy to use. Download Kaspersky Ransomware Decryptor here:

Download RannohDecryptor

Decryption Tool 2

trendmicro hakunamatata ransomware decryptor

Use following tool from Trend Micro called Trend Micro Ransomware File Decryptor, that can decrypt .crypt, .cryp1, .crypz files. Download it here:

Download Trend Micro Decryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with CryptXXX Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .crypt, .cryp1 or .crypz files

stellar data recovery professional

  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.
Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like CryptXXX Ransomware, in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download ZoneAlarm Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives or remote network storages can be instantly infected by the virus once plugged in or connected to. CryptXXX Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.

Download MailWasher Pro
Previous articleHow to remove Any Search Manager (Mac)
Next articleHow to remove Rapid (2.0) Ransomware and decrypt .rapid or .paymeme files

10 COMMENTS

  1. Excelente, me ha resultado y he podido rescatar los archivos de mi servidor. Hay que tomar una “muestra” es decir un archivo encriptado por el virus y el original sin tocar, sólo es necesario un archivo y el programa hace el resto desencriptando todo el disco.

  2. Gracias por el aporte, también tengo una variante del troyano, ¿cuando va a salir una versión mas actualizada?, para poder desencryptar mi equipo con este nefasto troyano

  3. Hola: Te cuento.
    Todos los archivos de mis carpetas fueron inutilizados por el virus encriptador:
    Trojan-Ransom.Win32.CryptXXX.

    Los archivos por ejemplo: .docx; .PDF; .mp4; .gif; etc. los renombró agregándoles .crypt. O sea quedaron así: .docx.crypt; .pdf.crypt; .mp4.crypt; .gif.crypt; etc.

    Para desencriptarlos todos, hice lo siguiente:
    1.-Descargué el “Kapersky Ramsomware Decryptor” dando clic en el botón verde de descargar.
    2.-Doy clic sobre el botón “Start Scan” para que proceda a escanear todo mi equipo.
    3.-Para iniciar me pide Abrir uno cualquiera de estos archivos encryptados. O sea Busco en cualquiera de las carpetas, un archivo cualquiera de los encriptados, lo selecciono y doy clic en Abrir.

    El descifrador o desencriptador procede a escanear todo el equipo buscando el archivo seleccionado,
    lo encuentra y lo desencrypta y así procede con todos los archivos de todas las carpetas hasta terminar.

    4.-Regreso y abro cada una de las carpetas y encuentro en ellas todos los archivos ya desencriptados;
    pero también siguen estando los encriptados, los cuales comienzo a eliminar manualmente.

    Saludos. Estoy en: jctmatus@hotmail.com

    • Mis archivos encriptados tienen esa misma extension. He seguido ese procedimiento varias veces y no funciona, y tampoco algunos otros (Panda, etc). Me sale el mensaje “The decryption of files encrypted by this variant of Trojan-Ransom.Win32.CryptXXX is not supported. He escrito a Kaspersky y no me han contestado. Sólo me queda pagar… Alguna idea?

      • Bonjour moi aussi j’ai le même sous il me met version non pris en charge….j’ai le trojan ransom win 32 cryptXXX v3….merci de votre aide

    • hola socio este programa no me funciono porque es verción 3 los encuentra pero no los desifra como puedo abrir mis archivos

  4. Hola, todas mis Fotos y documentos fueron encriptadas, y con este Software no me Vale, ya que me pide los datos originales….He probado usar una imagen de la carpeta imágenes de muestra, pero tampoco me sirve…Qué puedo Hacer? Necesito las Fotos, son recuerdos familiares

  5. Hi,

    How do I decrypt files that have been affected by the RSA 4096 if I don’t have the original file. I tried using the Kaspersky software but it asks for the original file.

    Please help as I need to decrypt some jpeg files

LEAVE A REPLY

Please enter your comment!
Please enter your name here