Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptXXX Ransomware and Restore .crypt Encrypted Files

New Update! Malware researchers from Kaspersky have updated their Rannoh Decryptor utility with decryption for the CryptXXX 3.0 ransomware family. Files should be fully decrypted with the help of that software. You can find its download page and instructions at: Kaspersky’s Rannoh Decryptor page.

CryptXXX-cryptxxx-crypt-xxx-black-wallpaper-instructions

Proofpoint researchers have discovered a ransomware dubbed CryptXXX. The ransomware is believed to be created by the same group of people who made the Reveton ransomware in the past. The Angler Exploit Kit and Bedep are used to distribute the ransomware.

Update! Kaspersky has officially announced that they have decrypted CryptXXX. They have found out a short delay that the ransomware makes to external storage encryption. It is done to confuse people who got the ransomware and to make it harder to detect the websites spreading the infection. CryptXXX uses the highest RSA 4096 bit encrypting algorithm, but Kaspersky has managed to crack it and put it into their Rannoh Decryptor.

Threat Summary

Name CryptXXX
Type Ransomware
Short Description The ransomware encrypts your files with .crypt extension and asks a ransom of $500 for decryption.
Symptoms Your files on all storage drives get encrypted. Files containing messages with instructions are created.
Distribution Method Spam Emails, Exploit Kits
Detection Tool See If Your System Has Been Affected by CryptXXX

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss CryptXXX.

CryptXXX Ransomware – Distribution

CryptXXX ransomware can be distributed in a few ways. One of those ways is via spam e-mails which have a malicious file as an attachment. If you open this attachment, it can insert the malware inside your machine. It is not excluded for social networks and file sharing services to serve as a distribution medium as well.

The CryptXXX ransomware is currently distributing with the help of the Bedep Trojan that gets inside your PC, through the Angler Exploit Kit. Just visiting websites or clicking on suspicious links can also get Angler EK or Bedep to inject this malware in your computer system.

CryptXXX Ransomware – Detailed Look

The CryptXXX malware is a new ransomware. It will encrypt all of your files found across all connected devices and storage drives. USBs, hard disks, SSDs and all partitions on drives from A to Z will have all files found on them encrypted. It asks a certain amount of money to be paid for ransom.

Proofpoint researchers believe the ransomware to be from the creators of the Reveton ransomware.

Both ransomware infections share lots of common factors, such as the Delphi programming language, custom Command and Control protocol on TCP port 443, a delayed start, especially if the malware is on a virtual machine. Other things that are common are: a .DLL named with a custom function on entry, the %AllUsersProfile% directory containing a .dat file and last, but not least Credentials- and BitCoin-thieving capabilities.

Entries in the following registry directories might be created:

HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

and

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/

Those entries might be created with the aim for the ransomware to load with each and every restart of the Operating System.

The Windows Registry might also be modified for a .DLL file related to the ranomware to run. The following registry entry could be made:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

According to the researchers at Proofpoint the Bedep Trojan can create separate infections for the ransomware:

  • C:\Users\%Username%\AppData\Local\Temp\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll
  • C:\Users\%Username%\AppData\Local\Temp\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll
  • C:\Users\%Username%\AppData\Local\Temp\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll
  • C:\Users\%Username%\AppData\Local\Temp\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll

After that CryptXXX will lock all of your files, no matter what extensions they are bearing. The ransomware searches to encrypt files with more than 100 extensions, some of which are the following:

→ .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip

The newly appended file extension of each file is .crypt.

In addition to that, the ransomware will also try to steal BitCoins from infected users, as well as passwords and other important credentials.

CryptXXX-cryptxxx-crypt-xxx-payment-site-instructions

Above and below you can see picture examples of instructions on how to pay the ransom look like. Those are the files that load them:

  • de_crypt_readme.bmp
  • de_crypt_readme.txt
  • de_crypt_readme.html

CryptXXX-cryptxxx-crypt-xxx-black-wallpaper-instructions

Images source: Proofpoint.com

You are asked to pay around 1.2 Bitcoins or 500 US dollars within a five-day time frame. If you do not pay, the amount which is asked as payment will increase.

Reaching out to the ransomware creators and trying to pay the ransom is strongly NOT advised. No one can give a guarantee that your files will get restored. Paying the ransom money may not only be thought as a way of helping cyber criminals but also might motivate them to make another variant of the malware.

With the help of Frank Ruiz, Proofpoint researchers have arrived at the conclusion that the ransomware is very tightly connected to the Angler EK and Dridex Botnet.

That can only mean that the spread and attack of this ransomware could be on a massive scale. If you see a strange activity on your computer, shut it down – you might stop a raging ransomware from encrypting all of your data. In this forum topic you can find some useful tips about ransomware.

Remove CryptXXX Ransomware and Restore .crypt Encrypted Files

If CryptXXX ransomware infected your computer, you should be swift in removing it as it will try to lock files found on every storage device connected to your PC. If you are infected with this ransomware, you should have at least a little experience in removing malware. See the instructions written below to see how you can try to restore your files.

Manually delete CryptXXX from your computer

Note! Substantial notification about the CryptXXX threat: Manual removal of CryptXXX requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptXXX files and objects.
2. Find malicious files created by CryptXXX on your PC.
3. Fix registry entries created by CryptXXX on your PC.

Automatically remove CryptXXX by downloading an advanced anti-malware program

1. Remove CryptXXX with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptXXX in the future
3. Restore files encrypted by CryptXXX
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

  • Gergana Ivanova

    After the removal process .crypt files can be restored with RannohDecryptor. This video guide can help you with the decryption process: https://www.youtube.com/watch?v=PhlBFjQM6E4

  • Josué David

    Hi Gergana

    I have a problem with the new variant, all my documents are encrypted with *.cript.
    I probe all kaspersky tolls, but none works with this variant.
    Please help me to recover my files.

    • Gergana Ivanova

      Hi, Josué!

      Since there is version CryptXXX 3.0, .crypt files could not be restored by RannohDecryptor. The crooks are determined to outsmart the “white hats” so this ransomware evolved in three versions. The result of this game of outwitting is that even the cybercriminals can’t provide working decryptor for this malware.

      I advise you not to reformat your drive until you try everything to get your files back.

      You can try to restore some of your files utilizing:

      – Shadow Explorer – you can find a download link above in this article. Choose “Step 3” from the automatic removal guide.

      – Data recovery software

      – Network Sniffer – if you haven’t deleted the ransomware, see what you can do using Network Sniffer: http://sensorstechforum.com/use-wireshark-decrypt-ransomware-files/

      And hopefully, an active decryption tool will be available soon.

      Write us if you have success and also if you need further help.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.