Cry Ransomware - How To Remove?

Type: Ransomware
Other names: Cry virus

If you do want to sow in tears because you permanently lost all of your files, you should educate yourself about crypto-ransomware viruses and useful methods to stop these infections from arising. Prevention is better than cure and we are suggesting users to remember this expression. Cry virus is another member of the band called “ransomware”. This variant is designed by-the-book and could be chosen to accurately depict a typical ransomware infection. Once it has found its way into a device, Cry virus will do all in its power to remain undetected until the encryption process is completed. We should not forget that encoding is always pursued with the help from strong algorithms that makes the decryption a complexed matter. That is why it is always better to keep yourself immune to this type of viruses. Even if you do send the required amount of bitcoins for the decryption key, security reports suggest that victims are very frequently tricked. They receive keys that are incapable of actually decrypting files or crooks disappear after receiving the fee.

About Cry Ransomware

Cry virus is not completely a dead-on example of ransomware infections but follows a very common routine. After a payload of this virus gets secretively installed into a device, this small executable file manages to cause disruption without being detecting in time. It sends various information regarding the user, to the Command & Control server using UDP (this is regarded as a signal for crooks that a new computer has bee infected). The information about victims can be uploaded to two domains ( and Virus can even figure out the location of the infected users. Also, Windows Registry Keys get modified so Cry virus would be launched together with other users’ applications. Every time you reboot your device, the nasty payload gets a chance to begin the encryption process. Before that, it runs a scavenger hunt in order to find data, suitable for encoding. Cry virus targets the most popular types of documents and can make all of your valuable files corrupted.

Once the encryption process is completed, Cry virus is ready to unveil its existence. In fact, this ransomware goes to great lengths so infected victims would treat this infection seriously. First of all, it adds a .cry extension to every single encoded file. This short supplement identifies that a piece of data is influenced by a strong algorithm (RSA-4096). If users tried to run such files, they will only be disappointed by the fact they are unable to do so. Also, Cry ransomware reveals its presence by adding a new folder called “old_shortcuts” and transferring the encrypted data in it. However, the creators seem to feel insecure that you won’t notice their efforts and adds additional two files on your desktop. One of them is a .txt file and the other one is .html, suggesting that it will lead you to an unknown webpage (both named “!Recovery_[6 random characters]“. There is one peculiar feature of this Cry virus: it pretends to be originating from Central Security Treatment Organization. Such organization does not exist and the fancy name should not fool you into paying the demanded sum of 625 dollars (1.1 Bitcoin). Cry virus is also noticed to delete all of the Shadow Volume Copies.
The content of the ransom note (after users login into the provided webpage):

“Central Security Treatment Organization Department of pre-trial settlement
Warning! Your files are encrypted!
Your documents, databases, project files, audio and video content and other critical files have been encrypted with a persistent military-grade crypto algorithm!!! To restore the access to your files you need to pay commission for the decryption in amount of $625
Only after the commission is paid in full you will be provided with the special software for the encrypted data recovery.
In the case of non-payment of the full commission within 4d 4h , the amount of commission will be raised to $1250 Attention required Do not take any actions to decrypt your files on your own! This is absolutely impossible and can lead to the encrypted data corruption and, therefore, it can not be recovered in the future! In case of the repeated non-payment of the increased commission during the 4d 4h period, the unique decryption code for your files will be blocked and its recovery will be absolutely impossible!”

How to Decrypt Files Encrypted by Cry Ransomware?

Ransomware viruses have been around for years but the decryption of encrypted files still remains a delicate matter. Usually, IT specialists have to properly analyze new variants and only then are able to produce free keys for decryption. So we suggest you to wait for them to crack Cry virus and give you an opportunity to save 625 dollars. As the matter fact, crooks are threatening to raise this amount of money to 1250 dollars if you do not purchase the decryption software in about 100 hours. For the future, always make copies of your files and store them in USB flash drives or put then in backup storages. These facilities hold your data and you can retrieve files from there anytime you want. Since Cry virus offers to decrypt one encrypted file, take advantage of this possibility. Maybe having two versions of that file will ease the IT specialists’ task of decryption.

How is Cry Ransomware Distributed?

Cry ransomware can be distributed using the most common techniques to get the sneaky payloads spread around. You can spot a bizarre letter in your email inbox and assume that its harmless. In reality, by opening it and downloading the attachment inside, you might be welcoming an ransomware virus into your computer system. Furthermore, Cry ransomware can be implanted if you click on random pop-ups, advertisements or visit webpages with pornographic, gambling or other questionable content.

Abandon all doubts and remove Cry virus from your device with sophisticated tools that have helped users revive their system after a ransomware attack. Reimage, Spyhunter or Hitman are recognized as extremely suitable for this undertaking. More information about the decryption/manual removal can be found below.

How to recover Cry ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Cry ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Cry virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Cry ransomware. You can check other tools here.

Step 3. Restore Cry ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Cry virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Cry ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


About the author

 - Main Editor

I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

September 5, 2016 03:25, January 3, 2017 06:01

Leave a Reply

Your email address will not be published. Required fields are marked *