CryptoID ransomware - How to remove

CryptoID ransomware, or Rickroll locker, is a cryptovirus, which by using scareware features and also a tough-to-crack algorithm, locks victims personal data and asks for an exchange payment in cryptocurrency. Luckily, there is a solution to this infection since, as noticed by cyber professionals, this virus is not a new variant but a descendant of Aurora ransomware, just with different extension and ransom note. So whatever you do, don’t pay the CryptoID ransomware developers and keep on reading this article.

Discovered on January 18th, 2019 by MalwareHunterTeam CryptoID virus did not impress malware experts with its behaviour, because it was exactly the same as Aurora virus, that came out a year ago. Even with antivirus programs, CryptoID had an extremely high detectability, according to scan, which means that developers did not add much to improve obfuscation or anything. However, let’s not forget that this ransomware is still a very harmful threat, which is not easy to take care of, so, if you think that CryptoID ransomware is bothering your computer, this post will be very helpful.

What is CryptoID ransomware

CryptoID ransomware is the newest version of Aurora ransomware, which initially came out on May 2018 and since then had a few other samples with different extensions but same encryption mechanisms. This time CryptoID cryptovirus also kept the typical RSA-2048 cypher but used a distinct string that’s added to the affected files – ‘.cryptoid’. This file naming is part of the scareware features that the malicious program uses to encourage the victim to pay the ransom because when users are scared, worried or stressed about their files being owned by hackers, they tend to make the most irrational decisions.

Cryptoid ransomware ransom note

But before you even see CryptoID virus there is a lot that the threat must complete before displaying visual effects. Once the victim accidentally runs an installer, ransomware begins modifying registry keys and adding itself to a few Windows directories (%AppData%, %Local%, %Temp%, %Roaming%) so that it could stay persistent even when the computer is restarted and etc. CryptoID also stops your antivirus, to ensure a smooth set up. Then at the same time, cryptovirus starts scanning for potential files to encrypt, which is basically all data on drives except for the important system folders, which are needed for the computer to work properly. All the pictures, documents, videos, music then get locked with the RSA algorithm, and eventually, the .cryptoid extension is added at the end of their names: ‘firstpicture.jpg’ becomes ‘firstpicture.jpg.cryptoid’.

One of the last actions CryptoID ransomware performs before settling down is dropping ransom note (‘CRYPTOID_BLOCKED.txt’, ‘CRYPTOID_HELP.txt’, ‘CRYPTOID_MESSAGE.txt’) with the information for the further requirements to the victim in order to get the files back:

########> RICKROLL LOCKER <########
SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
AIso we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here: [email protected]
Attach file is 000000000.key from %appdata% to email message.
Without it we will not be able to decrypt your files
And pay $400 on BTC-wallet Lex6qfkopz5wgbicrxpq4cALF S6yr8gLhx
Bf someone else offers you files restoring, ask him for test decryption.
  Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
########> RICKROLL LOCKER <########

In this CryptoID virus ransom note, crooks disclose their email, amount of money they want (0,12 BTC) and where they want it to be sent, as well as directions to send ‘000000000.key from %appdata%’. But before you rush to do anything for these crooks, you should know that there is a possibility to unlock the ransomware affected files, and save your wallet from getting emptied, just continue reading this article. 

How does CryptoID ransomware spread

Ransomware, just like any other threat, can have tons of different ways of distribution, including torrents, remote desktop protocol vulnerabilities, drive-by-downloads, Trojans, browser extensions and etc. CryptoID virus was mainly reported to be spreading on the adult game websites, as a hyperlink, that initiates the downloading of the file named ‘tree.exe’ or ‘RICKROLL.exe’. When the user would run this file, CryptoID ransomware would be initiated to begin the secretive installation, which is So fast that there is no way to stop the process. This is why we suggest taking a look at the Ultimate security guide against ransomware.

Another proliferation method is socially engineered emails with malicious attachments. This technique is still very popular amongst ransomware because it’s much easier to make the victim open the file with CryptoID cryptovirus installer than in other methods. Crooks simply get tons of breached emails from the DarkWeb or directly from what they can find on the internet and send an intriguing message that doesn’t have much information, but seems to be coming from the very important sender (such as police, lawyer, bank, customer, employer, guest or etc.).This makes the recipient open the attached .docx or .pdf file and turning on Macros to see the full content of the message. And that is how they end up enabling virus which is hidden in Macros. And because that is a legitimate feature of MS Office, no antivirus can detect it, except after when the script has been activated.

How to remove CryptoID virus and decrypt the files

Fortunately, since CryptoID ransomware is just a newer variant of Aurora cryptovirus, which has been already cracked, there is a decryptor to unlock all your locked files. But before trying to unlock anything, you must remove the virus, so that the threat would not double-encrypt your data, which in that case would be impossible to recover. The best way to ensure that your Windows is CryptoID-free is to scan the computer with a malware removal program like Spyhunter or Malwarebytes, and to eliminate the harmful files as the software suggests. These anti-spyware tools are professional applications, which will completely uninstall the malicious program, leaving you certain that your system is ready for the next step – decryption.

In order to get the decrypting tool, you need to first visit Id-ransomware site to identify if your virus is really based on Aurora ransomware and if the results are positive it should give a redirecting link to the decryptor. If you cannot find the unlocking tool, then go to this forum where you will find not only the decryptor, made by but detailed instructions as well. Mind you, if you are a responsible computer owner and create backups each day, we also suggest you simply recovering the system from the most recent point before the CryptoID virus infection as shown below.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover CryptoID ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before RICKROLL LOCKER has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of CryptoID ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to RICKROLL LOCKER. You can check other tools here.  

Step 3. Restore CryptoID ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually RICKROLL LOCKER tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptoID ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *