Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptFile2 Ransomware and Restore Encrypted Files

STF-cryptofile2-crypto-file-2-help-your-files-txt-ransom-note-instructions

Researchers from Proofpoint have revealed information about a ransomware called CryptFile2. They have given it this name, because of one of its malware samples. Proofpoint share that the ransomware has started raging in the middle of March, this year. The ransomware asks victims to contact the creators and pay an unknown sum of money in BitCoins to get their files back. Files with more than 1200 different extensions get encrypted by this ransomware.

To remove the ransomware and see how to restore your files, you should read the full article.

Threat Summary

Name CryptFile2
Type Ransomware
Short Description The ransomware encrypts files with the RSA algorithm and asks for payment in BitCoins.
Symptoms Files with more than 1200 extensions are encrypted. Files with ransom instructions are put in every directory with locked files.
Distribution Method Spam Emails, Exploit Kits
Detection Tool See If Your System Has Been Affected by CryptFile2

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss CryptFile2.

CryptFile2 Ransomware – Delivery

CryptFile2 ransomware is delivered mainly through Exploit Kits. Although, it is not excluded there to be spam emails spreading attachments with the malware inside. The malicious code could be hidden in the body of emails as well. So, just opening such an email might trigger the silent download of the malware on your system.

Exploit kits that are discovered to deliver this threat are the well-known Nuclear Exploit Kit and Neutrino.

Your PC can get infected from exploit kits and malware code spread throughout social network sites and file sharing services. A good prevention method is to avoid all suspicious files and web links you come across.

CryptFile2 Ransomware – Information

The CryptFile2 malware is classified by researchers as ransomware. Last week, Proofpoint researchers shared details about it. They gave the ransomware that name, after a debug string in one of the samples they were investigating. If you get infected, the malware will encrypt your most important files along with lots of different file types. It is not excluded for CryptFile2 to make entries in the Windows Registry with the goal of automatically load with each start of the Windows OS.

CryptFile2 will put two files in each directory that has encrypted files. They contain the ransomware instructions and have the following names:

  • HELP_YOUR_FILES.html
  • HELP_YOUR_FILES.txt

You can see an example of one of the files here:

STF-cryptofile2-crypto-file-2-help-your-files-txt-ransom-note-instructions

You are given a random ID. The instructions read:

NOT YOUR LANGUAGE? USE hxxps://translate.google.com

What happened to your files?

All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys RSA-2048 can be found here: hxxp://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen?
!!!Specially for your PC was generated personal RSA-2048 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our Secret Server.

What do I do?

So, there are two ways you can choose: wait for a miracle and get your pride doubled, or start obtaining BITCOIN NOW!, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions:

Contact is by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.

E-MAIL1: pchelp_@_post.com
E-MAIL2: xerx_@_usa.com
YOUR_ID:

Payment is expected to be paid in BitCoins, although the ransomware creators have not specified what amount. They have put two emails for contact.

Paying whatever price as ransom to the cyber criminals is far from advised. Not only you might not your files decrypted, but you might also not even receive an answer. Giving the criminals money might inspire them to continue making ransomware or something worse. Usually, this results in a stronger and improved variant of ransomware they have created in the past.

The CryptFile2 ransomware searches to lock files with more than 1200 different extensions, according to Proofpoint security researchers. The RSA encryption algorithm is used. Some of the file extensions are:

→.3gp, .7z, .ads, .asf, .asx, .ba, .bank, .bgt, .bik, .bkp, .bpw, .cdf, .cer, .ce1, .ce2, .cgm, .class, .cls, .cpp, .craw, .csh, .csl, .csv, .ddd, .der, .dng, .dxg, .eml, .exf, .ffd, .fff, .flac, .fla, .flv, .gray, .h, .hpp, .ibd, .indd, .java, .key, .laccdb, .m4v, .maf, .mam, .maw, .mdc, .mfw, .mp4, .mpg, .mso, .ndd, .nef, .nsg, .nwb, .odc, .odf, .odg, .odp, .one, .oth, .p7b, .pat, .pbo, .pcd, .pct, .pps, .ppsm, .ppsx, .pspimage, .psafe3, .pub, .qbw, .r3d, .raf, .rar, .rat, .raw, .rwz, .sas7bdat, .sda, .srf, .srt, .srw, .stc, .std, .sti, .st, .vob, .vsd, .vtx, .wav, .wmv, .wpd, .xlc, .xlm, .xlr, .xlt, .xltm, .xltx, .m4a, .wma, .zip, .unrec, .scan, .tax, .icxs, .hkdb, .mdbackup, .syncdb, .gho, .wmo, .fos, .mov, .vdf, .tmp, .sis, .menu, .layout, .blob, .vcf, .tor, .psk, .lvl, .xxx, .wallet, .wotreplay, .desc, .m3u, .js, .rb, .hkx, .forge, .rim, .vpp_pc, .pak, .rgs, .lrf

After file encryption, all files will have an extension .id_[yourid]_[ransomemail].scl, where yourID is your personal ID number and one of the following emails will be used:

  • pchelp@post.com
  • xerx@usa.com

The CryptFile2 ransomware encrypts backup and temporary files found on an infected computer’s internal disk storage. If that happens, then Shadow Volume Copies are probably deleted from Windows.

Remove CryptFile2 Ransomware and Restore Encrypted Files

If your computer is infected by the CryptFile2 ransomware, you should have a little experience with removing malware. You should remove the malware as soon as possible as it may encrypt more files over the network you use or files from external storage devices if you try using a backup. So, it is recommended that you first remove the ransomware and follow the step-by-step instructions given below.

Manually delete CryptFile2 from your computer

Note! Substantial notification about the CryptFile2 threat: Manual removal of CryptFile2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptFile2 files and objects.
2. Find malicious files created by CryptFile2 on your PC.
3. Fix registry entries created by CryptFile2 on your PC.

Automatically remove CryptFile2 by downloading an advanced anti-malware program

1. Remove CryptFile2 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptFile2 in the future
3. Restore files encrypted by CryptFile2
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.