A new ransomware infection, going by the name CrystalCrypt has been reported by malware researcher Michael Gillespie. The virus aims to encrypt the files on the computers infected by it after which it adds the .BLOCKED file suffix to the files encoded by it. Only after doing so, the .BLOCKED files virus begins to extorts it’s victims by dropping a ransom note which demands to pay 0.17 BitCoins in order to get the cyber-criminals to decrypt the files so they become usable again. In the event that your computer has been infected with the CrystalCrypt .BLOCKED ransomware virus, we advise you to read the following article and learn how to remove this ransomware and how to restore files, encrypted with added .BLOCKED file extension.
|Short Description||Aims to encrypt the files on the compromised computers, asking victims to pay around 0.17 BitCoins in order to get the files to open again.|
|Symptoms||Files on the infected computer are encrypted with added .BLOCKED file extension.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by CrystalCrypt .BLOCKED |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CrystalCrypt .BLOCKED.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.BLOCKED Files Virus – How Does It Infect
In order to infect victims, the .BLOCKED files virus may be spread via either active methods or passive ones. If spread by passive methods, the virus may be uploaded as a fake executable file, pretending to be a legitimate one. The sites on which it may be uploaded may be of low reputation and may even be Torrent tracker websites. The malicious files may pretend to be legitimate:
- Software activators.
- Cracks for software or games.
In addition to simply waiting for you to download it’s infection file on your computer, the cyber-criminals behind the .BLOCKED files virus may also send you the infection file via e-mail. To best trick inexperienced victims into opening the file, they may pretend that it is an important document, such as:
- An Invoice.
- Order receipt.
- Some kind of important banking document.
Since cyber-crooks often mask the e-mails as if they are legitimate type of messages, they pretend as if they come from large companies, like PayPal, eBay, Amazon or other big names and even mask their logos and support e-mails to appear as if they come from the original source.
CrystalCrypt .BLOCKED Files Virus – More Information
CrystalCrypt ransomware is the type of malware which aims to perform various different modifications on the files on the infected computers. The virus begins it’s malicious activity by dropping it’s payload files on the computers of victims. The payload of CrystalCrypt may reside in the following Windows folders:
After dropping it’s files, the CrystalCrypt ransomware virus may create mutexes, touch files and create scheduled tasks on the infected computer, so that it runs the malicious file(s) of it’s payload automatically. The virus may also modify the Windows Registry Editor, more importantly create entries in the Run and RunOnce Windows sub-keys, that are responsible for running the ransom note file or the malicious file of the .BLOCKED files virus automatically each time when you log in Windows. The registry sub-keys in which those malicious entries may reside have the following locations:
In addition to this, the .BLOCKED ransomware virus aims to drop it’s ransom note on the victim’s computer. The virus has the following message in it:
All your private files were encrypted with an strong RSA 2048 and AES 256 algorithm. To decrypt your files you must pay 0.17.
.BLOCKED Files Virus – Encryption Procedure
In order to encrypt the files on the infected computer, the .BLOCKED files virus has a pre-configured list of file types it aims to encrypt. In the same time, the virus is careful not to encrypt crucial drivers and system files, so that the infected computer is still being usable. The files which CrystalCrypt may scan your computer for are likely the most commonly used file types, which usually have the following file extensions:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
After encryption is complete, the .BLOCKED files virus may leave the encrypted files to appear like the following:
Remove .BLOCKED CrystalCrypt Ransomware and Restore Files
In order to remove this ransomware infection, recommendations are to follow the removal instructions at the bottom of this article. They are divided in manual or automatic removal instructions, based on the experience with malware removal which you possess. If you lack experience in removing viruses, like CrystalCrypt manually, be advised that experts in cybersecurity always advise users to scan their computers with an advanced anti-malware software, which will help you to automatically erase all traces of CrystalCrypt ransomware from your computer and ensure future protection is guaranteed.
If you want to restore files that have been encrypted by this ransomware infection, reccomendations are that you follow the file recovery instructions underneath this article in step “2. Restore files encrypted by CrystalCrypt .BLOCKED”. They may not be 100% effective when it comes to decrypting your files, but their primary purpose is to help recover as many encrypted files as possible.