Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Cryptolocker V3 Ransomware and Restore .crypted Files

A new version of one of the pioneers in ransomware infections, called Cryptolocker has risen from the depths of the Dark Web. The ransomware creates different modules that serve various purposes. It may also tamper with the Windows Registry Editor to run its modules every time Windows starts. Version 3 of Cryptolocker may be identified by the .crypted file extension on the affected user’s files. All users who have come across this ransomware are advised not to obey the ransom payment instructions which Cryptolocker leaves after encrypting the data and try using the alternative tools and methods for removal and restoration.

Name Cryptolocker V3
Type Ransomware Trojan
Short Description The Trojan creates registry files, connects to remote hosts and encrypts user files of various formats, asking for a ransom to decrypt them.
Symptoms The user may be unable to open his files and may witness a .crypted extension after them.
Distribution Method Via malicious URLs or mail attachments.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Cryptolocker V3
User Experience Join our forum to discuss Cryptolocker V3.

Cryptolocker V3 – How Did I Get Infected

One way to become a victim of this vile threat is by opening a malicious email attachment or clicking on a URL from such spam messages. Usually cyber criminals tend to mask the spam mails they send by resembling a reputable service. Here are few examples of what fraudulent spam mails may look like:

  • “Your free Windows 10 Upgrade Is Here.”
  • “Get your free 100 songs from Itunes Now.”
  • “Your PayPal account has been suspended.”
  • “The files you requested.”
  • “You have won a free trip from our eBay lottery.”
  • “Free Amazon gift cards.”

Furthermore, cyber criminals tend to mask the malicious payload by obfuscating its files via special software or archiving it in a .zip, .rar or other archived formats so that it does not get blocked by the email website. Users should be very careful and always perform a scan of the files they download. It is also recommended to double check web-links that are shared to some degree because checking any link you open would be frustrating. This is why it is good to have a browser extension that blocks malicious links from opening.

Cryptolocker V3 Ransomware – More About It

Symantec researchers have analyzed this Trojan and have established that once activated on your computer, the ransomware creates its payload:

In %Application Data% of %User Profile%:
Key.dat
Log.html
.exe file with random characters, for example 08210e209u18.exe

On the user’s desktop:
CryptoLocker.lnk
HELP_TO_DECRYPT_YOUR_FILES.bmp
HELP_TO_DECRYPT_YOUR_FILES.txt

The malicious threat then creates the following registry objects:

In the key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\” value with the data: “crypto13” = “%UserProfile%\Application Data\[the file with random characters].exe”


After this, Cryptolocker V3 begins to encrypt user files. Symantec have reported it to corrupt files with these extensions:

.7z .rar .m4a .wma .avi .wmv .csv .d3dbsp .sc2save .sie .sum .ibank .t13 .t12 .qdf .gdb .tax .pkpass .bc6 .bc7 .bkp .qic .bkf .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .svg .map .wmo .itm .sb .fos .mcgame .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .001 .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .DayZProfile .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .sav .lbf .slm .bik .epk .rgss3a .pak .big .unity3d .wotreplay .xxx .desc .py .m3u .flv .js .css .rb .png .jpeg .txt .p7c .p7b .p12 .pfx .pem .crt .cer .der .x3f .srw .pef .ptx .r3d .rw2 .rwl .raw .raf .orf .nrw .mrwref .mef .erf .kdc .dcr .cr2 .crw .bay .sr2 .srf .arw .3fr .dng .jpe .jpg .cdr .indd .ai .eps .pdf .pdd .psd .dbfv .mdf .wb2 .rtf .wpd .dxg .xf .dwg .pst .accdb .mdb .pptm .pptx .ppt .xlk .xlsb .xlsm .xlsx .xls .wps .docm .docx .doc .odb .odc .odm .odp .ods .odt

After the encryption process for a file is complete the .crypted file extension is added, for example:

Document1.docx.crypted

Furthermore, the Trojan may connect to these hosts:

  • 7tno4hib47vlep5o(.)tor2web(.)blutmagie(.)de
  • 7tno4hib47vlep5o(.)tor2web(.)fi
  • 7tno4hib47vlep5o(.)tor2web(.)org

What is more Cryptolocker V3 changes the desktop wallpaper of the affected machine with the following:

symantec-sensorstechforum-cryptolocker-v3Source: Symantec Security Response

Also, it displays a message box, which includes In-depth instructions on how to pay the ransom money and restore the files.

2015-030201-5710-99.1Source: Symantec Security Response

Remove Cryptolocker V3 Completely

To remove this cyber threat from your computer, it is recommended to act as if you were infected with any other Trojan horse. The difference is that the Trojan may affect your files. This is why it is advisable to disconnect from the internet copy the encrypted data to an external drive before attempting any removal.

One way to remove the cyber threat is by following the after-mentioned removal instructions:

1. Boot Your PC In Safe Mode to isolate and remove Cryptolocker V3
2. Remove Cryptolocker V3 with SpyHunter Anti-Malware Tool
3. Remove Cryptolocker V3 with Malwarebytes Anti-Malware.
4. Remove Cryptolocker V3 with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Cryptolocker V3 in the future

Restore .crypted Files

Since Cryptolocker V3 claims to use an RSA 2048 encryption algorithm you should try restoring your files using each of the following methods and tools:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptor for files encrypted with the RSA encryption algorithm:
Kaspersky RectorDecryptor

The other method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.