CryptoRoger Ransomware - How To Remove?


CryptoRoger ransomware is a fresh file-encrypting virus. Like many of recent sophisticated file encoders, it uses asymmetric encryption algorithm to corrupt the victim’s data. Unfortunately, the community of cyber security experts have not come up with the decryptor yet. Thus, you have to take care of your data’s safety before it is too late.

About CryptoRoger Ransomware

CryptoRoger ransomware uses AES-256 encryption to encrypt standard files. It appends .crptrgr filename extension to the filename extensions of encrypted files. For instance, picture.jpg is turned into picture.jpg.crptrgr. This cryptomalware retrieves the MD5 hashes of the files and stores them with their filenames in the %AppData%\files.txt file. When the encryption works are over, it displays !Where_are_my_files!.html file containing the ransom note. The size of the ransom is 0.5 BTC (bitcoins) which is 337.79 USD at the current moment (BTC value is not stable and it shifts on a constant basis). The hackers threaten to increase the ransom if you do not adhere to their demands. They also offer to decrypt one file free of charge to prove you that they have the working key. The BTC address for payment and the file for decryption are asked to be send through uTox messenger by the ID provided – F12CCE864152DA1421CE717710EC61A8BE2EC74A712051447BAD56D1A473194BE7FF86942D3E.

The instructions how to do that step-by-step are lined out further in the ransom message. The cyber crooks request for keys.dat file to be sent as well. This keys.dat file is probably the AES encryption key. The key is encrypted with RSA public key stored in the executable file of the ransomware. When this executable access the key.dat file, it decrypt it with private RSA key and send back the decrypted AES decryption key to the victims if they pay (well, it is highly questionable if it does). CryptoRoger ransomware creates a .VBS file in the Startup folder so the ransomware is started whenever Windows is launched. Because of this, the ransomware can encrypt newly created files.

How is CryptoRoger Ransomware Distributed?

CryptoRoger ransomware, like all of the ransomwares, is a virus trojan. These type of viruses tend to send spam e-mails. These e-mails have no senders indicated or they claim to be the representatives of some official or well-known institutions or companies. Either way it is a trickery. Once you follow the links or open the attachments, you will be stabbed in the back. The executables will start to run malicious codes and your data will be damaged. CryptoRoger cryptomalware can invade into your computer completely secretly. It can happen, if your software is outdated and you do not have any updated reliable security scanner running on the system. Then, these vulnerabilities are exploited by exploit kits (e.g. Angler EK) which upload malicious codes onto the weak and non-protected systems.

How to Decrypt Files Encrypted by CryptoRoger Ransomware?

There are no tool for decryption developed yet. But it is just the matter of time. Security experts are in search for the keys. Once there is one created, we will immediately update this article and let you know about it. Meanwhile, try some data recovery tools if you have not backed up your data. We recommend to make use of the most popular and recognized file recovery tools such as the products of Kaspersky Lab, R-Studio or PhotoRec. In the future, back up your files in some external storage such as Cloud services, USB keys, external hard drives, DVDs, CDs, etc. Just note that the latter must be plugged when you update or add data since they can be easily infected by the virus and become the source of infection themselves.

You also must delete the CryptoRoger ransomware since it can encrypt further files. Do it before the recovery of your data. We recommend applying Spyhunter, Reimage or Hitman powerful automatic tools. Manual removal might be tricky. But we provide you with the right to choose. The manual removal instructions for this ransomware are given below.

How to recover CryptoRoger ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before CryptoRoger virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of CryptoRoger ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to CryptoRoger virus. You can check other tools here.

Step 3. Restore CryptoRoger ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptoRoger virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptoRoger ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


About the author

 - Main Editor
I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
June 26, 2016 07:54, January 4, 2017 04:29

Leave a Reply

Your email address will not be published. Required fields are marked *