Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Crysis Ransomware and Restore .CrySiS Encrypted Files

shutterstock_271501652A new ransomware has emerged. Its name is Crysis, and it sets the extension .CrySiS to encrypted files. RSA algorithm and AES ciphers are combined for the encryption process. The ransom note is set as a picture on the desktop background. To remove this ransomware and see how you can try to restore your files, you should read the article carefully.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name Crysis Ransomware
Type Ransomware
Short Description The ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Crysis Ransomware

Download

Malware Removal Tool

User Experience Join our forum to Discuss Crysis Ransomware.
Data Recovery Tool Stellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

STF-crysis-ransomware-ransom-note-message-picture

Crysis Ransomware – Delivery

Crysis ransomware can be delivered in several ways. One is through spam emails containing a malicious file attached to it. If the attachment is opened, it automatically injects malware inside your computer. Malicious code could also hide in the body of the email. That means that you can get infected just by opening such an email, no matter if you tamper with the attachment.

Other ways this ransomware gets delivered are with the help of social networks and file sharing services, which could contain malicious attachments or files with the Crysis ransomware’s payload inside. The files could be presented to you as useful or things you need, such as an important update. Browsing unknown websites and clicking on redirect links can also lead to an infection from this malware.

Crysis Ransomware – Technical Information

The Crysis ransomware is classified by researchers as a ransomware. When a computer is infected with the ransomware, it creates an executable file, and it could make new Windows Registry values as a persistence measure.

The executable file could have different names and be randomly generated, but it has been detected in the following directory with the name written below multiple times:

%LOCALAPPDATA%\_Skanda.exe

The modifications in the Windows Registry are generally created in these registry entries:

HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

and

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/

That also includes the ransomware setting itself to start automatically with each boot of the Windows operating system.

Next, the ransomware will create a file with a randomly generated name, which contains the ransom message. The instructions in it, describing how the ransom can be paid are always these:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the email:[email protected] with subject “encryption” stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.

P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email [email protected]

The file is a picture which is set as your desktop background after the encryption process is complete.

Two different emails are provided for contacting the developers of the Crysis ransomware. One registered as a domain in the Czech Republic and the other in India, but the origin of the ransomware is unknown. The cyber-criminals state in their ransom note that you should write to them if you want your files decrypted.

Contacting the ransomware creators for intending to pay for the ransom is NOT advised. No guarantee exists that your files are going to be unlocked and restored. Also, paying ransomware makers is almost the same as supporting their actions and encouraging them to make an even tougher variant of the malware.

The Crysis ransomware searches to encrypt various types of files. Files that could be encrypted have the following extensions:

→.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

After the encryption is fully finished, encrypted files have the .CrySiS extension. The encryption method used is suspected to be an RSA algorithm mixed with AES ciphers, like many other ransomware, because it is considered unbreakable.

The Crysis ransomware is known to encrypt the following file locations:

  • %UserProfile%\Local Settings\Application Data
  • %localappdata%
  • %WINDIR%\System32
  • %TEMP%
  • %userprofile%\downloads

For the moment, it is unknown if Shadow Volume Copies are deleted from the Windows OS, but probably is the case. After removing the ransomware, you should see the fourth part of the instructions provided bel

There are many variants of the CrySiS ransomware and most of them act in the same principle:

Remove Crysis Ransomware and Restore .Crysis Encrypted Files

If you were infected by the Crysis ransomware, you should have a bit of experience in removing malware. The ransomware can lock your files irreparably, and therefore, it is greatly recommended that you be quick and follow the step-by-step instructions written below.

Manually delete Crysis Ransomware from your computer

Note! Substantial notification about the Crysis Ransomware threat: Manual removal of Crysis Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Crysis Ransomware files and objects
2.Find malicious files created by Crysis Ransomware on your PC

Automatically remove Crysis Ransomware by downloading an advanced anti-malware program

1. Remove Crysis Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Crysis Ransomware
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

  • Dominick Turnbull

    I can confirm that it does delete the VSS files.

    • Hello Dominick,

      It doesn’t surprise us that Crysis ransomware deletes Shadow Volume Copies, as most recent crypto viruses do so. Thanks for confirming.

      However, can you provide us with more information? Have you been infected by Crysis? If that’s the case, what have you done so far?

      Keep in touch!

  • PsyBoot Boot

    Yeap delete the VSS files… I have been infected in my VM, i have bkp of the VM soooo no problens, but dont know how they infected me, i have some pictures if u guys want =)

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.