Crysis Ransomware - How to remove

Crysis Ransomware is a dangerous virus that can infect your computer and lock your personal files. It is listed as a ransomware because in order to retrieve locked files you will be asked to pay the ransom.

If you have noticed that your computer is infected with this virus and you can’t open some of your files, here’s what you should do: remove the ransomware from your system and try to restore your files.

About Crysis Ransomware

Crysis is not a new variant of ransomware viruses and its activity does not exceed our expectations with the usual file-encrypting and ransom-demanding malware. This virus has been around for a while and it exploits RSA-2048 cipher for encryption to make the detected files unavailable for usage.

On June, the activity of this variant was noticed to have increased as it made another big splash. We have no record of people actually paying the demanded number of bitcoins but it is a very bad idea. If you happen to stumble upon this infection and the virus requires a fee of 4 bitcoins, you should roll your eyes and say goodbye to this annoying variant. The methods of how to possibly get rid of Crysis virus are going to be enumerated in the next section. All of the files that are corrupted by this variant manage to silently add an additional extension: .crysis.

How is Crysis Ransomware Distributed?

IT specialists find that email accounts are very frequently filled with payloads of ransomware viruses. These executables are appended as attachments to random letters that seem believable. For example, crooks might forge a letter, suggesting a huge sale and inviting you to download a new catalogue. On the other hand, the topic might be more serious like a reminder about taxes or a confirmation regarding a trip. Be careful when clicking on links that are found in random letters. In fact, always check, if the link is accurate and safe before doing so.

How to Decrypt Files Encrypted by Crysis Ransomware?

You should eliminate Crysis Ransomware from your computer. Even though this won’t decrypt your files, you have to do it because Crysis Ransomware can infiltrate other viruses into your system. It can be easily achieved with some help from trustworthy anti-malware. We recommend to use either Spyhunter or Malwarebytes. Simply download one of these applications and scan your computer with it. One of these apps should detect and remove Crysis Ransomware just in a couple of minutes. If your system is infected with other viruses, it will detect and remove them as well. You can use other anti-malware software of your choice too.

Once Crysis Ransomware is eliminated from your system, you can try to unlock your files. Fortunately, Crysis Ransomware has finally been decrypted. You can download the decryptor and follow the instructions for decryption here. You can also try the Crysis decryptor by Avast.

System restore can also be performed, if you have a valid copy of your hard disk that was made before your computer got infected with Crysis Ransomware. If you do have a copy of your disk, but don’t know how to perform the system restore, you can find the tutorial right here.

In case you don’t have that copy of your hard drive, don’t panic. Developers of Crysis Ransomware are offering you to pay the ransom and receive a decryption software that will allow you to decrypt all encrypted files. However, we do not recommend to trust them because there are no guarantees that you will retrieve your files even after paying the ransom.

In order to avoid incidents like this in the future, you should change your operating system settings that it would automatically make hard disk backups from time to time, so every time a virus attacks your computer you can simply set it to the previous date. In addition to that, it’s recommended to keep your computer secured with reliable anti-malware software to prevent infections like this. Please notice that it’s not enough to have only anti-virus software protecting your system because sometimes it can’t detect malware.

Update of the 10th of February, 2017. In 2017, Crysis ransomware has been noticed to reach computer devices thanks to Remote Desktop Protocol. As reports indicated, companies from New Zealand and Australia are being targeted by this variant. USA is also one of the targets: hackers are opting to infect the healthcare sector.

How to recover Crysis Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Crysis Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Crysis Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Crysis Ransomware . You can check other tools here.  

Step 3. Restore Crysis Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Crysis Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Crysis Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal