Cradle ransomware - How to remove

Cradle crypto-virus is now joining the vicious group of ransomware viruses. These infections doom users’ files to become inactive and valuable data cannot be exploited for the most regular processes. Instead, the files are marked with .cradle extension and stand as the highest aces in the game of ransomware. Clearly, hackers have an advantage as they are the ones making demands and setting rules. Cradle virus will await for the opportunity to encrypt files and AES algorithm for encryption makes this process possible. Only a limited amount of time will be given for the victims to make a transaction. In case of Cradle virus, the demands are not set very high: 0.25 BTC which translates into 290.40US Dollars. This fee is quite small, but sending it to hackers is still unfortunate enough.

Aspects of Cradle ransomware

Despite feeling desperate about Cradle virus and the negative activities in managed to inflict on you, we are not suggesting that paying the 0.25BTC is the most optimal decision. Actually, it is probably the worst option. Presumably a week will be the first period to make the transaction of bitcoins: it will cost victims 0.25BTC. However, the second stage begins shortly after 7 days and the price is doubled. Instead of demanding the latter sum, they will raise the ransom to 0.50BTC which, according to the most recent rates, equals 580 US Dollars. The last note is hit when 14 days pass: then, hackers will delete the private key for decryption which will mean that they will no longer offer assistance in file-decryption.

We did not find that this version would be related to any other variants that we have analyzed. Cradle crypto-virus might be originally structured or introduced by a newly-formed group of hackers. Pn6fsogszhqlxz4n.onion is the website which belongs to hackers and introduces their demands. The website is opened when _HOW_TO_UNLOCK_FILES.html is launched. We have observed almost all of the information of the note, possibly leaving out only the threats that are made. Naturally, authors of Cradle virus will try to frighten people from trying to restore files manually, without their help. Therefore, it threatens that these attempts are guaranteed to end in the loss of all data.

The TOR website also contains recommendations from which domains should bitcoins be bought. After victims pay the demanded fee, they should download the software from the highlighted shortcut: Only software from this site can unlock your files! The shortcut will presumably lead to another TOR page which will offer to download the decryption software. If you have sent the payment, then the infection should automatically generate this information and make file-recovery possible. The confirmation of your transaction should take place in approximately 1 hour, or, in the worst case, never. It would not be the first time when hackers show disrespect and abandon their victims.

Can alternative methods of file decryption be successful?

A guaranteed cure to fix the encrypted data is not yet released. However, we have very little faith in authors of Cradle and the fact they will keep their promise of decrypting files. Even though the initial fee for decryption is not very steep, we would still advise people to keep the money to themselves and spend it on more beneficial purposes. For instance, on buying extremely efficient anti-malware tools that will have no issue in detecting malware. While such a programs are protecting your system, take some security measures yourself. Store valuable information in multiple locations to make sure to have a backup instead either one of the source becomes corrupted/unavailable.

Possible sources for Cradle ransomware

Cradle crypto-virus can be found lurking and waiting for victims in a number of places. One of them is email accounts that could welcome letters, featuring attachments of malicious executables. Avoid downloading files from messages that reach you from unfamiliar sources. In addition to that, ransomware infections can be lurking in vulnerable websites that will be modified to feature harmful content.

Spyhunter, Plumbytes and Hitman will be coming after malware and showing no mercy. Infections will be successfully detected and removed. Before trying to decrypt files, you should primarily take care of the ransomware infection. If it is still present during your attempts to decrypt data, the virus will interfere with this process. Read the further explanations of file-decryption to find out more.

How to recover Cradle ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Cradle virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Cradle ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Cradle virus. You can check other tools here.  

Step 3. Restore Cradle ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Cradle virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Cradle ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *