Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Cryp1 (UltraCrypter) Ransom Virus and Get The .Cryp1 Files Back

Update! Malware researchers from Kaspersky have updated their Rannoh Decryptor utility with decryption for the CryptXXX 3.0 ransomware family. Files should be fully decrypted with the help of that software. You can find its download page and instructions at: Kaspersky’s Rannoh Decryptor page.

crypt1-ransomware-sensorstechforum-main

A very dangerous ransomware virus has started to infect users all over the world. It is carrying the name Cryp1 and it is also known as the second version of CryptXXX 3.0 ransomware – another dangerous virus, that has passed through many improvements until it is perfected. The Cryp1 ransomware demands around 1.2 BTC (542 USD) to decrypt the encrypted files of users. What is interesting is that all that it requires for doing all of this damage is two small files. Malware researchers strongly advise users who have been infected with the virus to remove it using the instructions provided in this article.

Threat Summary

Name Cryp1
Type Ransomware
Short Description A new and improved version of CryptXXX 3.0 Ransomware. Encrypts the user files, adding a .cryp1 file extension and asks for around 500 dollars ransom for the decryption process.
Symptoms Files become corrupted and the wallpaper is changed to instructions on how to pay the ransom money and decrypt your files.
Distribution Method An exploit kit attack distributed in various forms.
Detection Tool See If Your System Has Been Affected by Cryp1

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Cryp1.

How Does Crypt1 Ransomware Conduct Its Infection

To be successful in the infection of the users, the ransomware uses the so-called Exploit Kit attack. However, it does not use just any average attack. Cryp1’s exploit kit is updated to slip past the latest definitions and anti-malware mechanisms. It is also believed to use a very modern multi-stage infection process that does not limit itself to just one method of infection.

One variant used by the crooks is via a malicious Exploit server, which represents several infection scenarios, for example:

ransomware-4-stages-of-infection-sensorstechforum

Cryp1 Ransomware Activity Stages

Once the exploit kit has infected users, it drops two files in the %Temp% folder of the user – its malicious executable and its file encrypter:

  • C:/Users/{Username}/AppData/Local/Temp/Low/FB73.tmp.dll – a file which performs the encryption of the files on the drive of the infected machine.
  • C:/Users/{Username}/AppData/Local/Temp/Low/Rundll32.exe – a file which modifies the registry editor, deletes backups and creates other files on the infected machine.

After these files are created and executed, the ransomware gets down to business. It begins to encrypt files that are associated with the following types of user interaction objects:

  • Videos.
  • Photos.
  • Music and other audio files.
  • Pictures.
  • Database files
  • Photoshop documents.
  • Microsoft Office documents.
  • SQLITE files.
  • Virtual Box Virtual Machine files.
  • Other files associated with programs that are often used by Windows users.

The Crypt1 virus is also programmed to modify the following registry entries to change the wallpaper of the user and to make its FB73.tmp.dll file encryptor run and encrypt every newly added file on Windows startup:

Wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop
“Wallpaper”=”{PATH TO THE RANSOM NOTE WALLPAPER}”
Encrypter:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”rundll32.exe” = ” C:/Users/{USER’S PROFILE}/AppData/Local/Temp/”

After creating those registries, the wallpaper of the user changes immediately to the following picture:

ransom-wallpaper-sensorstechforum-cryp1


The ransom demands from the wallpaper pictures are the following:

→ All your files are encrypted.
ID: {Unique Identification}
http://e2308d23h0923h.onion(.)to
http://e2308d23h0923h.onion(.)cab
http://e2308d23h0923h.onion(.)city
Download and install tor-browser https://torproject.org/projects/torbrowser.html.en
TorLink: http://eqyo4fbr5okzaysm(.)onion
Write down the information to notebook (exercise book) and reboot the computer.

After this, the user infected by Cryp1 is redirected to a payment website where there are additional instructions on how to pay the ransom money. This payment page may be on more than one languages:

translated-payment-page-cryp1-sensorstechforum

Removal of Cryp1 Ransomware

To delete this ransom virus from your computer, we strongly advise you to follow the instructions that are mentioned below. In case you are having trouble finding the registry entries and the files created by the ransomware manually, we advise using the automatic removal option with will swiftly take care of the threat and make sure it does not spread to other computers in the network.

Manually delete Cryp1 from your computer

Note! Substantial notification about the Cryp1 threat: Manual removal of Cryp1 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Cryp1 files and objects.
2. Find malicious files created by Cryp1 on your PC.
3. Fix registry entries created by Cryp1 on your PC.

Automatically remove Cryp1 by downloading an advanced anti-malware program

1. Remove Cryp1 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Cryp1 in the future
Optional: Using Alternative Anti-Malware Tools

Decrypt .Cryp1 Encrypted Files

To restore the files which are encrypted by Cryp1 Ransom Virus, we advise you to try the alternative methods below. They may not be 100% effective but they may also restore some of your files until a more effective solution is released by researchers. Until then, we advise you to follow this page and our forum for more updates on.Cryp1 ransomware. We will post any as soon as they are available. Either way we strongly advise AGAINST paying for decryption because as the previous variants of this ransomware indicate, it has been reported to have its decryptor broken and users were paying for basically nothing.

Restore files encrypted by Cryp1

Restore files encrypted by Cryp1

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.