What is CryptXXX Ransomware
Update: Since this article first appeared there were multiple releases of new versions of CryptXXX Ransomware (UltraCrypter, CryptMIC). There also were several editions of initial virus (CryptXXX V2, V3, V4, V5). New extensions are .crypt1, .crypz or 5 random hexadecimal characters. New versions of CryptXXX can be decrypted using Trend Micro Anti-Ransomware.
CryptXXX is ransomware crypto-virus. It encrypts user personal data with AES CBC 256-bit algorithm and asks for RSA-4096 key. Actually, CryptXXX Ransomware also steals bitcoins stored on the computer if there are any. Virus modifies names and extension of all encrypted files to .crypt, .cryp1 or .crypz, changes desktop wallpaper using de_crypt_readme.bmp (image with black background and white text), creates text file with instructions to pay the ransom (de_crypt_readme.txt), and html file with the same instructions (de_crypt_readme.html). Ransom is about 1.2 BitCoins or $400. CryptXXX Ransomware attacks data on local drives and attached storage devices. Ransomware makes a delay between the moment of infection and the start of encryption, which makes it more difficult to detect. Thanks to specialists from Kaspersky it is rather easy to remove CryptXXX Ransomware virus and decrypt .crypt, .cryp1 or .crypz files. In this article we will explain how.
Here is the content of ransom note:
NOT YOUR LANGUAGE? USE https://translate.qooqle.com
What happened to your files?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: https://en.wikipedia.org/wiki/RSA_(crvptosvstem)
How did this happen?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal id D78*****E87
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: xxxxs://torproject.org/projects/torbrowser.html.en
2. Video instruction: xxxxs://www.youtube.com/watch?v=NQrUZdsw2hA
3. After a successful installation, run the browser
4. Type in the address bar: http://rp4roxeuhcf2vgft.omon
5. Follow the instructions on the site.
How CryptXXX Ransomware infected your PC
CryptXXX Ransomware attack computers running Windows 10, Windows 8, Windows 7 operating systems. It spreads through spam e-mails with malicious attachments or malicious links. CryptXXX Ransomware can also infect your computer with torrent downloads and game keygens and cracks. After download, it copies main file to %AppData% folder and starts encryption process. These are the file types affected by CryptXXX Ransomware:
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
Download Removal Tool
To remove CryptXXX Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders and registry keys of CryptXXX Ransomware and prevents future infections by similar viruses.
Alternative Removal Tool
To remove CryptXXX Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of CryptXXX Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
How to remove CryptXXX Ransomware manually
It is not recommended to remove CryptXXX Ransomware manually, for safer solution use Removal Tools instead.
CryptXXX Ransomware files:
CryptXXX Ransomware registry keys:
HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource "C:\PROGRA~3\[victim_id].bmp"
How to decrypt and restore .crypt, .cryp1 or .crypz files
Use automated decryptors
Decryption Tool 1
Ransomware decryptor from Kaspersky may be useful in this case. It is free and easy to use. Download Kaspersky Ransomware Decryptor here:
Decryption Tool 2
Use following tool from Trend Micro called Trend Micro Ransomware File Decryptor, that can decrypt .crypt, .cryp1, .crypz files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with CryptXXX Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .crypt, .cryp1 or .crypz files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like CryptXXX Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives or remote network storages can be instantly infected by the virus once plugged in or connected to. CryptXXX Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.