CryptXXX ransomware - How to remove

CryptXXX ransomware

CryptXXX ransomware is affiliated with the Reveton screen locking ransomware family. This file encryptor acts as a spyware besides the usual encryption deed done by the typical ransomwares. It will make an attempt to steal your bitcoin wallet if you try to make the payment. This ransomware collects information related to your FTP client, instant messenger clients, e-mails and browsers. Currently 3 versions of CryptXXX ransomware have been released: Version 1.0 was released in the middle of April 2016, Version 2.0 – on May 6, 2016, and Version 3.0 – on May 23, 2016.

About CryptXXX Ransomware

This ransomware-type malware uses asymmetric encryption algorithm RSA-4096. During encryption two keys are generated: the public encryption key and the private decryption key. The private decryption key is stored on Command and Control (C&C) servers in charge of the hackers. CryptXXX ransomware appends .crypt extension to every encrypted filename. New versions of this parasites use .crypz or .cryp1 file extensions as well. Three files are being created: de_crypt_readme.txt file is dropped in every folder of encrypted files, de_crypt_readme.bmp replaces the desktop wallpaper and de_crypt_readme.html is loaded whenever the browser is launched. These files contain the ransom note. The size of the ransom required is 1.2 BTC which equals to 641.92 USD at the moment. But the compensation for the restoration of the data may be doubled to 2.4 BTC which is currently 1,283.81 USD, if the instructions are not followed and the transfer is not made within the time period not specified. If the instructions are violated harshly, the decryption key is threatened to be destroyed permanently. The cyber criminals offers the decryption of one of the encrypted files free of charge to prove that they have the working decryption key. This can be done following the link to .onion site on the TOR network. The ransom note reads as follows:

NOT YOUR LANGUAGE? USE //translate.google.com
What happened to your files?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal ID: xxxxxxxxxxxxxxxx
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 – http://2zqnpdpslpnsqzbw.onion.to
2 – http://2zqnpdpslpnsqzbw.onion.cab
3 – http://2zqnpdpslpnsqzbw.onion.city
If for some reasons the addresses are not available, follow these steps:
1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – After a successful installation, run the browser
3 – Type in the address bar – http://2zqnpdpslpnsqzbw.onion
4 – Follow the instructions on the site
Be sure to copy your personal ID and the instruction link to your notepad not to lose them.

How is CryptXXX Ransomware Spread?

Spam e-mails and their malicious attachments are the culprit of CryptXXX ransomware distribution. This ransomware trojan is also distributed by the Angler Exploit Kit. Thus, it is highly recommended not to open letters that fall into the spam folder (no matter how legitimate they would try to look like) and install and update the trustworthy security software on your computer.

How to Decrypt Files Encrypted by CryptXXX Ransomware?

There is Kaspersky RannohDecryptor tool available for free at support.kaspersky.com under the section virus-fighting utilities. You will have to find the largest pair of two files: an encrypted file and an unencrypted file. The pair will let the decryptor to determine the decryption key for all the corrupted data. Just the smaller files will be possible to restore with the key. That is why, the largest pair is required to be executed firstly. Use a trick suggested by a security expert Gabber – seize the opportunity of free decryption offered by the developers of CryptXXX ransomware to decrypt the largest file. This way, you will have the largest encrypted file and the largest decrypted file. If, for some reasons (you know you cannot trust the hackers), it will not work, use the sample pictures of Sample Pictures folder in C disk. Their unencrypted versions can be downloaded from another computer. Finally, to begin the actual decryption download the Kaspersky RannohDecryptor.exe. Double-click it. Then, click the Start button. Add the encrypted file and the unencrypted files. The program will start determining the decryption key. And, after it has been found, your files will be decrypted.

There is also Kaspersky decryptor available for CryptXXX 2.0 version. However, Kaspersky RannohDecryptor does not work on the latest (3.0) version at the moment (the one using .cryp1 extension). For the time being, use backups, if you have any. If not, try restoring your files via Shadow Volume Copies. If this does not work, employ file recovery software such as PhotoRec or R-Studio. Just keep in mind that data recovery must be done after the deletion of the virus. Employ professional malware removal tools such as Spyhunter, Malwarebytesto take care of the removal of this creepy virus and any accompanying threats. In case of using the decryptor, create a copy or an image of your hard drive before the deletion of the ransomware. Manual removal is also an option, the instructions are provided below.

Update of the 20th of December, 2016. Now the third version of CyptXXX is decryptable. If you have the copies of your infected files and the ransom note either in the HTML or TXT (preferred since it works better) file format, you can download the updated RannohDecryptor from here. The wizard of the decryptor is self-explanatory, if, anyway, you experience difficulties take a look here.

How to recover CryptXXX ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before CryptXXX virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of CryptXXX ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to CryptXXX virus. You can check other tools here.  

Step 3. Restore CryptXXX ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptXXX virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptXXX ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

2 responses to “CryptXXX ransomware

  1. When I tried to use Kaspersky for decryption of my files, a notification popped up saying that The Decryption of files by this variant ofTrojan-Ransom.Win.32.CryptXXX is not supported. What should I do?

  2. Try to restore with file recovery programs first. Maybe the old version of files is available.

Leave a Reply

Your email address will not be published. Required fields are marked *