Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptoSweetTooth Ransomware and Restore .locked Files

This article will help you remove the CryptoSweetTooth ransomware fully. Follow the ransomware removal instructions given at the end of the article.

CryptoSweetTooth ransomware is a cryptovirus that is a variant of HiddenTear. One of the payload files is called BitCoin.exe and the extension it places to all files after encryption is .locked. When your files become encrypted, the CryptoSweetTooth virus shows a ransom note with instructions for payment written in Spanish. Read on and see what ways you could try out to potentially restore some of your data.

Threat Summary

Name CryptoSweetTooth
Type Ransomware
Short Description The ransomware encrypts files on your computer and after that it displays a ransom note.
Symptoms The ransomware will encrypt your files and put the .locked extension on them.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CryptoSweetTooth

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss CryptoSweetTooth.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoSweetTooth Ransomware – Delivery Tactics

CryptoSweetTooth ransomware could be delivered by using different tactics. The dropper for the payload file which initiates the malicious script of the ransomware is found on the Web by the name BitCoin.exe, although it is renamed to hide its true nature in most cases. You can see the analysis of that executable file from the screenshot of the VirusTotal website, right here:

CryptoSweetTooth ransomware could also be using the tactic to deliver the payload file dropper via social media and file-sharing websites. Freeware applications found on the Internet could be promoted as useful but also could hide the malicious files of this virus. Don’t immediately open files after you have downloaded them, especially if they come from dubious sources, such as links and emails. You should first scan them with a security tool and check the size and signatures of all files for anything suspicious. You should read the ransomware prevention tips thread in the forum.

CryptoSweetTooth Ransomware – Technical Analysis

CryptoSweetTooth ransomware is a cryptovirus, that is a variant of the open-source ransomware project HiddenTear, according to malware researchers. When the CryptoSweetTooth ransomware encrypts your files, it will append the extension .locked to them as an extension on each encrypted file.

CryptoSweetTooth ransomware might make entries in the Windows Registry to achieve perseverance. These registry entries are typically designed in a way that will start the virus automatically with each launch of the Windows Operating System.

The ransom note appears right after the encryption process is done – two files are created:

  • IMPORTANTE_LEER.html
  • RECUPERAR_ARCHIVOS.html

The note reveals what the demands of the cybercriminals are for decrypting your files. You can check out the ransom note from the screenshot found here:

That ransom note reads the following:

SUS ARCHIVOS PERSONALES HAN SIDO CIFRADOS POR Crypto-SweetTooth
Sus fotos, videos, documentos y base de datos han sido cifrados por un poderoso algoritmo utilizando una clave única generada por esta computadora.
¿Cómo recuperar los archivos?
Para recuperar sus archivos cifrados y recibir instrucciones de seguridad para que esto no le vuelva a ocurrir, usted deberá realizar un pago de 0.5BTC y enviarlos a la siguiente dirección: ILLEoST***
Una vez realizado el pago usted deberá enviar un correo electrónico a con la dirección bitcoin que usted uso para enviar los fondos. Una vez verificado y confirmado se le responderá con el programa y contraseña para desencriptar los archivos.
¿Cómo comprar Bitcoins?
Si usted se encuentra en Argentina podrá comprar Bitcoins en las siguientes empresas:
• Ripio.com
• Satoshitango
• ArgenBTC
• saldo.com.ar
• mercadolibre.com.ar
luego de haber realizado la compra desde cualquiera de las paginas mencionadas arriba, debera mandar los mismos a la direccion Bitcoin especificada al principio, marcada en color ROJO.

The developers of the CryptoSweetTooth virus have put their demands in the note given above. However, you should NOT follow those demands, nor contact the cyber criminals under any circumstances. If you proceed and pay them, no guarantee exists that you will recover your files. Furthermore, providing money to those crooks will just support them financially and is likely to inspire them to do more criminal activities.

For the moment, there is no list of file extensions that the CryptoSweetTooth ransomware searches to encrypt. The encryption algorithm which is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive the .locked extension appended to them. Some of the following extensions are possible to get encrypted:

→.doc, .docx, .pdf, .db, .jpg, .png, .ppt, .pptx, .txt, .xls, .xlsx, .mp3, .flv, .avi

The CryptoSweetTooth cryptovirus might delete the Shadow Volume Copies from the Windows operating system by using the following command in CommandPrompt:

→vssadmin.exe delete shadows /all /Quiet

Read on further and find out what methods you can try out to potentially restore some of your files.

Remove CryptoSweetTooth Ransomware and Restore .locked Files

If your computer got infected with the CryptoSweetTooth ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete CryptoSweetTooth from your computer

Note! Substantial notification about the CryptoSweetTooth threat: Manual removal of CryptoSweetTooth requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoSweetTooth files and objects
2.Find malicious files created by CryptoSweetTooth on your PC

Automatically remove CryptoSweetTooth by downloading an advanced anti-malware program

1. Remove CryptoSweetTooth with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by CryptoSweetTooth
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.