.BLOCKED Files Virus (CrystalCrypt) - How to Remove and Restore Files

.BLOCKED Files Virus (CrystalCrypt) – How to Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to explain what is the .BLOCKED files virus and how to remove it from your computer plus how to restore .BLOCKED encrypted files by it.

A new ransomware infection, going by the name CrystalCrypt has been reported by malware researcher Michael Gillespie. The virus aims to encrypt the files on the computers infected by it after which it adds the .BLOCKED file suffix to the files encoded by it. Only after doing so, the .BLOCKED files virus begins to extorts it’s victims by dropping a ransom note which demands to pay 0.17 BitCoins in order to get the cyber-criminals to decrypt the files so they become usable again. In the event that your computer has been infected with the CrystalCrypt .BLOCKED ransomware virus, we advise you to read the following article and learn how to remove this ransomware and how to restore files, encrypted with added .BLOCKED file extension.

Threat Summary

NameCrystalCrypt .BLOCKED
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the compromised computers, asking victims to pay around 0.17 BitCoins in order to get the files to open again.
SymptomsFiles on the infected computer are encrypted with added .BLOCKED file extension.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CrystalCrypt .BLOCKED


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CrystalCrypt .BLOCKED.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.BLOCKED Files Virus – How Does It Infect

In order to infect victims, the .BLOCKED files virus may be spread via either active methods or passive ones. If spread by passive methods, the virus may be uploaded as a fake executable file, pretending to be a legitimate one. The sites on which it may be uploaded may be of low reputation and may even be Torrent tracker websites. The malicious files may pretend to be legitimate:

  • Drivers.
  • Software activators.
  • Cracks for software or games.
  • Patches.

In addition to simply waiting for you to download it’s infection file on your computer, the cyber-criminals behind the .BLOCKED files virus may also send you the infection file via e-mail. To best trick inexperienced victims into opening the file, they may pretend that it is an important document, such as:

  • An Invoice.
  • Order receipt.
  • Some kind of important banking document.

Since cyber-crooks often mask the e-mails as if they are legitimate type of messages, they pretend as if they come from large companies, like PayPal, eBay, Amazon or other big names and even mask their logos and support e-mails to appear as if they come from the original source.

CrystalCrypt .BLOCKED Files Virus – More Information

CrystalCrypt ransomware is the type of malware which aims to perform various different modifications on the files on the infected computers. The virus begins it’s malicious activity by dropping it’s payload files on the computers of victims. The payload of CrystalCrypt may reside in the following Windows folders:

  • %AppData%
  • %Local%
  • %Roaming%
  • %LocalLow%
  • %Temp%
  • %Windows%

After dropping it’s files, the CrystalCrypt ransomware virus may create mutexes, touch files and create scheduled tasks on the infected computer, so that it runs the malicious file(s) of it’s payload automatically. The virus may also modify the Windows Registry Editor, more importantly create entries in the Run and RunOnce Windows sub-keys, that are responsible for running the ransom note file or the malicious file of the .BLOCKED files virus automatically each time when you log in Windows. The registry sub-keys in which those malicious entries may reside have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the .BLOCKED ransomware virus aims to drop it’s ransom note on the victim’s computer. The virus has the following message in it:

All your private files were encrypted with an strong RSA 2048 and AES 256 algorithm. To decrypt your files you must pay 0.17.

.BLOCKED Files Virus – Encryption Procedure

In order to encrypt the files on the infected computer, the .BLOCKED files virus has a pre-configured list of file types it aims to encrypt. In the same time, the virus is careful not to encrypt crucial drivers and system files, so that the infected computer is still being usable. The files which CrystalCrypt may scan your computer for are likely the most commonly used file types, which usually have the following file extensions:


After encryption is complete, the .BLOCKED files virus may leave the encrypted files to appear like the following:

Remove .BLOCKED CrystalCrypt Ransomware and Restore Files

In order to remove this ransomware infection, recommendations are to follow the removal instructions at the bottom of this article. They are divided in manual or automatic removal instructions, based on the experience with malware removal which you possess. If you lack experience in removing viruses, like CrystalCrypt manually, be advised that experts in cybersecurity always advise users to scan their computers with an advanced anti-malware software, which will help you to automatically erase all traces of CrystalCrypt ransomware from your computer and ensure future protection is guaranteed.

If you want to restore files that have been encrypted by this ransomware infection, reccomendations are that you follow the file recovery instructions underneath this article in step “2. Restore files encrypted by CrystalCrypt .BLOCKED”. They may not be 100% effective when it comes to decrypting your files, but their primary purpose is to help recover as many encrypted files as possible.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share