Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


How to Remove AxCrypter Ransomware and Restore .Axx Encrypted Files

^F6C5D3198FFFB3C58556FB3D75D0F7358ABC1B05868C419EB6^pimgpsh_fullsize_distrA crypto-virus also known as AxCrypter ransomware has become the reason for many users complaining to have had their files encrypted. What this malware does is that it may use a strong cipher to encode the files of affected users after which ask for around $2500 dollars from the user to give them back. Infected users are advised not to pay the ransom money and wait for a decrypter to be released by researchers. In the mean-time it is recommended to remove the ransomware and try to restore your files using the instructions posted in this article.

Threat Summary

Name AxCrypter
Type Ransomware
Short Description The ransomware encrypts files with a strong cipher and asks a ransom for decryption in Italian.
Symptoms Files are encrypted with the .axx file extension and become inaccessible. A ransom note with instructions for paying the ransom shows as a text file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by AxCrypter

Download

Malware Removal Tool

User Experience Join our forum to Discuss AxCrypter Crypto Virus.

AxCrypter Ransomware – How Did I Get It

Similar to Locky Ransomware, AxCrypter is a tricky threat. It may use the so-called process obfuscation to infect a computer without being detected by any security software that might be installed. Such obfuscated payloads may be distributed to the user via:

  • Malicious URLs.
  • Malicious attachments.
  • Fake software installers.
  • Keygens, crackfixes or other .exe files downloaded from suspicious websites.
  • Via exploit kits or malicious javascript as a result of a suspicious browser redirect.

AxCrypter Ransomware – More about It

Once AxCrypter has been executed on the infected computer, it may create a malicious executable in one of the following folders:

  • %AppData%
  • %Roaming%
  • %User’s Profile%
  • %Temp%
  • %Local%
  • %Windows%

The malicious file may be more than one and contain different names, for example:

  • Svchost.exe
  • Notepad.exe
  • B3028n32921.tmp
  • Pac-Man.dll
  • Keygen.exe/span>

After creating those files, AxCrypter may create a registry entry to run its encryption module every time you start Windows. The registry keys that may be modified as a result of that might be the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to that, the ransomware may delete the shadow volume copies of the infected computer by executing a vssadmin command with escalated privilige. The command may contain all or some of the following parameters:

→ vssadmin delete shadows /for={Volume of the drive} [/oldest | /all | /shadow={ShadowID} [/quiet]

After this may be done, AxCrypter may begin to encrypt the user’s files. The malicious ransomware virus is believed to scan for the most used types of files and encrypt them adding a .axx extension:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the files have been encrypted, AxCrypter drops the following ransom note to explain the situation to affected users:

→ “I encrypt some data that I believe are important to your system.
Only your server to encrypt your data so you can bring me back again,
* .axx Extension with its own place in your home directory or disk “reserves” named
After you hide the folder, it will not be brought back to delete data by writing over the original.
If your data again working my way wish to install on your server Eders new me
Please contact via e-mail. Create your ip necessarily the subject of the e-mail you write.
I demand from you to your system cost $ 2,500. If we agree on,
I will send the necessary information to transfer you the money gönfer.
control the delivery of a currency that you sent me (at the latest half an hour) then your system
I made it to connect older.”Source: Infected Users

AxCrypter – Conclusion, Removal and Restoring Your Files

The bottom line for AxCrypter is that this crypto-virus is focused only on very important files for the users, a strong indicator of which is the vast $2500 ransom amount it extorts users for. So far it has been reported by malware researchers not to be this widespread. Researchers strongly believe that a hacker may have gained access to a server belonging to the legitimate encryption software, named AxCrypt and started using its modules to create the virus and encrypt data.
However, we recommend you NOT to pay the ransom money in case you have been infected.
AxCrypter can be removed manually and automatically, and we have provided instructions for both methods below. It is advisable, however, to take the automatic approach because some ransomware may be part of a RaaS(Ransomware-as-a-Service) scheme, suggesting that they may create different files and different registry entries. Using an anti-malware tool will help identify those objects and remove them permanently and also protect you in against future threats as well.

Unfortunately, there is no decryptor that has been provided against AxCrypter. However, you may want to try the alternative solutions in step “3. Restore files encrypted by AxCrypter” below. They may not be 100 percent successful, but you might still have a chance to decode even a small portion of your files.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.