CrazyCrypt Ransomware - How to remove

CrazyCrypt is a ransomware type infection that can cause critical damage to your computer and completely paralyze all personal files that are stored on the hard drive. Since it is ransomware, it will be looking for ways to sneak into your computer, execute malicious code and then apply specific encryption to change the structure of all personal files stored on the system. After that, you will be asked to pay a ransom in order to receive a unique decryption key that could be used to restore locked files.

Actually, there are 4 different versions of CrazyCrypt virus, all of them were released in the span of the week. First of all, there appeared original CrazyCrypt ransomware, soon after that, a sample of CrazyCrypt 2.1 was discovered, followed by CrazyCrypt 3.19 version. Right now, we are looking at the most up to date version of this virus – CrazyCrypt 4.1. All those versions are really similar to each other, so methods to vanish the damage caused by the infection and eliminate the threat from your computer can be applied regarding of the CrazyCrypt version you are dealing with.

In this article, we are going to speak about different ways that can be used to recover files that were encrypted by CrazyCrypt, as well as specific instructions on how to eliminate the malware itself. If you have any further questions regarding this topic, don’t hesitate to ask them in the comments section below.

Dangers of CrazyCrypt Virus

It seems like all 4 versions of CrazyCrypt virus is being distributed from Brazil. The fact that their decryption website at www.decryptionsales.online communicates in Portuguese backs this up. However, that doesn’t mean that users from other countries can’t be affected. In fact, sources say that users from the United States are the primary target of CrazyCrypt.

So once inside, CrazyCrypt will start scanning your hard drive for files that can be encrypted. Unfortunately, it is capable of encrypting most of the file types commonly used on a daily basis, such as photos, videos, text files and so on. After the scan is over, the virus will employ AES-256 encryption algorithm and change the structure of your files. When this is over, you won’t be able to open them anymore.

Also, immediately after that, a pop-up window will be opened on your desktop. It contains a ransom note and it goes like this:

All your files have been encrypted due to a security problem with your PC.

lf you want to restore them, Write us to the e-mail:

[email protected]

Write this ID in the tile of your message:

You have to pay for decryption in Bitcoins.


The price depends on how fast you write to us.


After payment we will send you the decryption key


that will decrypt all your files.


Free decryption as guarantee.


Before paying you can send us up to 1 file for free decryption.


Do not rename encrypted files.


Do not try to decrypt your data using third party software,


it may cause permanent data loss


Decryption of your files with the help of third parties may cause increased,


price (they add their fee to our) or you can become a victim of a scam.

Enter Decryption Key Here:


Crazy Crypt official website: www.decryptionsales.online

Those crooks behind CrazyCrypt infection are really good at Social engineering. They don’t disclose how much you will have to pay, but they state that the amount of ransom depends on how fast you will reach out to them. So, you are encouraged to pay fast this way. They want you to contact them via crypto email at [email protected] – you can add up to one encrypted file that they will decrypt for free. That’s another social engineering trick.

The decryption process is defined like this – you, as a victim, contact them via email, they send you guidelines on how to pay the ransom (it will have to be done in Bitcoins). After payment is completed, they should provide you with a unique decryption key. As a result, you should be able to submit the key into the input field that should appear when “enter decryption key here” button is clicked and retrieve your files.

However, we often emphasize that cyber criminals shouldn’t be trusted – you can’t be guaranteed that your files will be decrypted even after paying the ransom. This case is not an exception – “Enter Decryption Key Here” button is not working, so we highly doubt that something would change after paying the ransom. Instead of that, you should apply alternative methods to recover your files and avoid supporting cyber criminals with your money.

How CrazyCrypt Infected Your Computer and How to Avoid It

Various methods are used in order to distribute malware. We have examined ransomware viruses similar to this – Borontok, JCry, Frendi, and they all are distributed in a similar manner.

You are most likely to get infected with such a virus by opening an email from a spam folder. Cyber criminals craft letters that pretend to be something really important and attach “documents” to it. In reality, those documents are files that are needed to execute the virus on the computer, so all it takes to get infected is to open such attachment. Modern email service providers have strong filters and a pretty good at telling what’s good and what’s bad, so you should not even try opening something from the spam category, that’s the best prevention against malware.

Also, you can get infected by simply clicking on misleading advertisement online or visiting an infected website. For that reason, it is recommended to stay away from websites with questionable content.

Lastly, it would be best if the safety of your computer and personal files was ensured by professional anti-malware tool. In case you don’t have anti-malware software installed yet, please take a look at our AM reviews and maybe you will find something for yourself.

How to Restore Files and Remove CrazyCrypt

Restore your files while the virus is still on your computer is worthless. If you successfully restore encrypted files, the virus can be activated again and encrypt them once more. For that reason, the first thing you need to do – get rid of CrazyCrypt itself. That can be a challenging thing to do manually, so you just scan your system with Spyhunter. Either one of those tools should be able to immediately detect and completely eliminate CrazyCrypt. Also, keep one of those programs installed to ensure the safety of your computer.

After that, it’s recommended to perform a system restore. This will turn your computer to a previous state. However, you have to have a backup copy of your hard drive to be able to do that. The problem is, that sometimes more advanced ransomware viruses are capable of damaging or even deleting backup files. In this case, please proceed reading instructions provided below.

Automatic Malware removal tools

How to recover CrazyCrypt Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before CrazyCrypt Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of CrazyCrypt Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to CrazyCrypt Ransomware. You can check other tools here.  

Step 3. Restore CrazyCrypt Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CrazyCrypt Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover CrazyCrypt Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.