What is CryptXXX Ransomware

Update: Since this article first appeared there were multiple releases of new versions of CryptXXX Ransomware (UltraCrypter, CryptMIC). There also were several editions of initial virus (CryptXXX V2, V3, V4, V5). New extensions are .crypt1, .crypz or 5 random hexadecimal characters. New versions of CryptXXX can be decrypted using Trend Micro Anti-Ransomware.

CryptXXX is ransomware crypto-virus. It encrypts user personal data with AES CBC 256-bit algorithm and asks for RSA-4096 key. Actually, CryptXXX Ransomware also steals bitcoins stored on the computer if there are any. Virus modifies names and extension of all encrypted files to .crypt, .cryp1 or .crypz, changes desktop wallpaper using de_crypt_readme.bmp (image with black background and white text), creates text file with instructions to pay the ransom (de_crypt_readme.txt), and html file with the same instructions (de_crypt_readme.html). Ransom is about 1.2 BitCoins or $400. CryptXXX Ransomware attacks data on local drives and attached storage devices. Ransomware makes a delay between the moment of infection and the start of encryption, which makes it more difficult to detect. Thanks to specialists from Kaspersky it is rather easy to remove CryptXXX Ransomware virus and decrypt .crypt, .cryp1 or .crypz files. In this article we will explain how.

CryptXXX Ransomware
CryptXXX decryption website

Here is the content of ransom note:

NOT YOUR LANGUAGE? USE https://translate.qooqle.com
What happened to your files?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: https://en.wikipedia.org/wiki/RSA_(crvptosvstem)
How did this happen?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal id D78*****E87
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. xxxx://rp4roxeuhcf2vgft.onion.to
2. xxxx://rp4roxeuhcf2vgft.onion.cab
3. xxxx://rp4roxeuhcf2vgft.onion.city
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: xxxxs://torproject.org/projects/torbrowser.html.en
2. Video instruction: xxxxs://www.youtube.com/watch?v=NQrUZdsw2hA
3. After a successful installation, run the browser
4. Type in the address bar: http://rp4roxeuhcf2vgft.omon
5. Follow the instructions on the site.

How CryptXXX Ransomware infected your PC

CryptXXX Ransomware attack computers running Windows 10, Windows 8, Windows 7 operating systems. It spreads through spam e-mails with malicious attachments or malicious links. CryptXXX Ransomware can also infect your computer with torrent downloads and game keygens and cracks. After download, it copies main file to %AppData% folder and starts encryption process. These are the file types affected by CryptXXX Ransomware:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Download CryptXXX Ransomware Removal Tool

Download Removal Tool

To remove CryptXXX Ransomware completely, we recommend you to use WiperSoft AntiSpyware from WiperSoft. It detects and removes all files, folders and registry keys of CryptXXX Ransomware.

Alternative remover

Download Malwarebytes Anti-Malware

As a good free alternative to remove CryptXXX Ransomware use Malwarebytes Anti-Malware. It will detect core files and processes of CryptXXX Ransomware and eliminate them to allow you start decryption of your files.

How to remove CryptXXX Ransomware manually

It is not recommended to remove CryptXXX Ransomware manually, for safer solution use Removal Tools instead.

CryptXXX Ransomware files:


C:\ProgramData\[victim_id].bmp,
C:\ProgramData\[victim_id].html
%AppData%\svchost.exe
%StartupFolder%\[victim_id].lnk
%StartupFolder%\[victim_id]B.lnk
%StartupFolder%\[victim_id]H.lnk
%UserProfile%\Desktop\!Recovery_[victim_id].bmp
%UserProfile%\Desktop\!Recovery_[victim_id].html
%UserProfile%\Desktop\!Recovery_[victim_id].txt
%Temp%\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll
%Temp%\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll
%Temp%\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll
%Temp%\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll

CryptXXX Ransomware registry keys:


HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource "C:\PROGRA~3\[victim_id].bmp"

How to decrypt and restore .crypt, .cryp1 or .crypz files

Use automated decryptors

Decryption Tool 1

kaspersky rannoh decryptor

Ransomware decryptor from Kaspersky may be useful in this case. It is free and easy to use. Download Kaspersky Ransomware Decryptor here:

Download Kaspersky Ransomware Decryptor

Decryption Tool 2

trendmicro hakunamatata ransomware decryptor

Use following tool from Trend Micro called Trend Micro Ransomware File Decryptor, that can decrypt .crypt, .cryp1, .crypz files. Download it here:

Download TrendMicro Ransowmare File Decryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with CryptXXX Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Phoenix Data Recovery Pro to restore .crypt, .cryp1 or .crypz files

  1. Download Stellar Phoenix Data Recovery Pro.
  2. Select location to scan for lost files and click Scan button.
  3. Wait until Quick and Deep scans finish.
  4. Preview found files and restore them.

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like CryptXXX Ransomware in future

1. Get special anti-ransomware software

Use Bitdefender Anti-Ransomware

bitdefender anti-ransomware

Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download BitDefender Anti-Ransomware

2. Back up your files

onedrive backup

Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.

3. Do not open spam e-mails and protect your mailbox

spamfighter

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is SpamFighter. It works with various desktop applications, and provides very high level of anti-spam protection.

Download SPAMFighter 5/5 (2)

Please rate this