Crypton ransomware - How to remove

Crypton virus is targeting people that favor two languages: English and Russian. Recently there has been an increase in the ransomware viruses that target Russian-speaking users and their valuable data. This variant exploits the possibilities of bringing terror to people from both camps that are the most frequently found as perfect potential victims for deception. The tension intensifies with each day when new variants of ransomware viruses get detected to be active. Constant production of these viruses is starting to spin out of control. Security researchers are unable to put an end to this war just yet. From the looks of it, the ransomware viruses are thriving and finding new “sponsors”. These supporters are usually involuntarily giving away their money to crooks: they send the money as a ransom for decryption of files. Surprisingly, it is identified that the decryption is programmed to begin automatically after hackers receive the fee for it. We express profound doubts that the creators of Crypton virus won’t bother with your problems. Once they obtain the thing they wished to (money), keeping promises becomes an unnecessary subject. Please do not become one of the supporters of ransomware viruses.

About Crypton Ransomware

If your language preferences are set to either English or Russian, then the payload will have no problem kicking things off. Everything will begin so silently that you probably won’t be able to tell the exact moment you got infected. Secretive manner of proceeding is one of the instrumental features of ransomware viruses: they have to maintain their existence a secret, until they have all of the aces in their hand. Until your screen is locked with a terrifying message from the shady programmers, there is still hope to catch Crypton virus red-handed and stop it from viciously tampering with your files. If not, this virus can survive without making its presence noticeable. Users that take the ranging of speed of devices as natural, should be reminded that at many cases, slowly-running computer can be one of the indicators of an infection. Crypton virus was determined to be quite difficult to detect and to operate with malware dropper which install the payload.


Crypton virus will surely influence your Windows Registry Keys. To be more precise, it will be interested in making modifications to the entries that are responsible for getting programs automatically launched. You can notice that many programs are ran automatically, without asking for permission: Skype, Torrent or other software. The payload of Crypton virus won’t demonstrate itself, but will automatically run in the background. Its process might be spotted among the ones indicated by a Task Manager, but people are more likely to miss it. Why? Because the name of the payload can be a Plain Jane: updater.exe, installer.exe or similar. In this case, crooks are spreading crypton.exe payload. After the ransomware manages to finish up its objectives, it will reveal its presence by adding _crypt extension to all of the encoded files. In addition to that, it will leave a ransom note “readme_encryption.txt”. You are discouraged from following their advises. Images in this article show the possible ransom note and lock screens (in both English and Russian).


How is Crypton Ransomware Distributed?

Crypton virus and its payload are expected to be found in places that ransomware viruses very frequently choose to temporarily settle down. In the search of a more permanent home, it will attempt to find people who will download the payload into their system. It is an acknowledged truth that creators of ransomware viruses disseminate their creations by sending them to email inboxes. For this purpose, sometimes even bots are assigned to send around spam, containing malware. If you happen to receive a letter from an unknown source, claiming to discuss some important issues (taxes, flights, insurance or etc), do not open it. You should always pre-check if the sender can be counted on.

How to Decrypt Files Encrypted by Crypton Ransomware?

If you read this article attentively, you can notice that the decryption is a little-explored topic. We dedicate this paragraph to help you either restore your files, or protect them from ransomware attacks. If you are reading this article to find out more about the decryption, then we should sadly disclose the information that an appropriate tool for Crypton virus has not been released yet. This news aside, security researchers are always trying out new methods in order to crack ransomware viruses faster. Until they do push Crypton virus out of business, we recommend you to patiently wait, try to restore Shadow Volume Copies or to use universal programs. As for the people that have not encountered a ransomware before, we advise to get their matters in order. How? For example, by creating copies of valuable data keeping it in USB flash drives. Then, if the original files get encrypted, you can get them back from the alternative source. Warning: do not keep your flash drives plugged in to your computer because ransomware virus can encrypt it as well. Another method is to store your files in online backup storages that are becoming more and more popular.

Spyhunter or Malwarebytes are the anti-malware tools that will fight off Crypton virus and remove it from your system. Tips for decryption and removal can be found below.

Update of the 8th of March, 2017. Today is your lucky day if your files have been corrupted by Crypton ransomware. Researchers from Emsisoft once again provide a functional decryptor for people, trying to recover files after Crypton turned them useless. Download the tool here.

How to recover Crypton ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Crypton ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Crypton ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Crypton ransomware. You can check other tools here.  

Step 3. Restore Crypton ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Crypton ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Crypton ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *