CRBR ENCRYPTOR Virus – Remove and Restore Files

CRBR ENCRYPTOR Ransomware Virus – Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Article, created with the purpose to show how to remove CRBR ENCRYPTOR ransomware virus and restore files encrypted by this infection on your PC.

Every time the cyber-crimnals who have created the Cerber ransomware infection update their virus, they make slight changes to it. This time it is the name and they are calling it CRBR ENCRYPTOR. The virus aims to encrypt the files on the computers that have been infected by this threat after which demand a hefty ransom payoff in order to get the encrypted data restored back to it’s working state. If your computer has been infected by this ransomware type of virus, we urge you to read the following post.

Threat Summary

TypeRansomware Virus
Short DescriptionThis Cerber ransomware variant encrypts files with the RSA-512 cipher and an RC4 encryption algorithm adding four randomly generated A-Z 0-9 characters(ex. .b43s) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “_R_E_A_D___T_H_I_S___{RANDOM}_” file. Also may add the following audio message after encryption:
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by CRBR ENCRYPTOR


Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User ExperienceJoin our forum to Discuss Cerber Ransomware.

CRBR ENCRYPTOR Ransowmare – Update September 2017

CRBR ENCRYPTOR, which is the current variant of the Cerber ransomware has been reported to use the Magnitude Exploit Kit by malware researchers. The malware has decreased its infection campaigns, but is expected for new ones to appear. Cerber ransomware keeps coming back, after some time has passed, so there will be no surprise if a new version is distributed soon. Keep your backups up to date as this malware is one of the most dangerous ones, since no decryption is made for its latest iterations.

How Does CRBR ENCRYPTOR Cause an Infection

The CRBR ENCRYPTOR ransomware uses a very specific method to replicate – blank slate e-mail spam message. Such messages contain no message what so ever and only have the malicious e-mail attachment embedded within them. The attachments are usually carrying various different types of files which could be modified into the infection file. These files are:

  • .docm and .doc Microsoft Word documents with malicious macros.
  • .js and .wsf JavaScript files.
  • .pdf files which extract the abovementioned Microsoft Word documents.

As soon as the victim opens the malicious attachments of the ransomware infection, the malicious files of the malware are dropped on the computer. The files are located In various Windows folders, for instance:

CRBR ENCRYPTOR – Infection Activity

After an infection with CRBR ENCRYPTOR takes place, the virus naturally drops a ransom note in both .hta and .txt file, named “_R_E_A_D___T_H_I_S___{RANDOM}_” where the random code represents a unique identifier for the specific infection performed by the ransomware. The CRBR ENCRYPTOR malware also has multiple other functions within the malicious files it drops on your computer. The ransomware infection initially modifies the internal process of Windows in order to allow uninterrupted activation. One of the activities it performs is to modify the following system files in Windows:

  • wscript.exe
  • WScript.exe
  • Mui
  • Sortdefault.nls
  • Wshom.ocx
  • Stdole2.tlb
  • KERNELBASE.dll.mui
  • Msxml3.dll

After having done this, CRBR ENCRYPTOR creates multiple different registry entries in the Windows Registry Editor. It attacks the following registry sub-keys:


After having done this, CRBR ENCRYPTOR ransomware may also establish connection with multiple foreign hosts.

The virus’s payload files consist of three executable types of files, one of which has a single digit as a name, like 1.exe, another one with three digits, like 222.exe and one with random digits and numbers, for example 12sd32.exe. In addition to those, it also drops two .dat support modules, called read.php and user.php.

Then, the CRBR ENCRYPTOR ransomware virus may activate functions withing those files that perform various malicious activities:

  • Dropped files that seem legitimate.
  • Reads trusted programs list in your Windows.
  • Searches for various processes which are actively running after which spaws new processes inserting them in Windows Task Manager. The processes are concealed and have seemingly legitimate names, for example svchost.exe, like the original process name.

CRBR ENCRYPTOR – The Encryption

The procedure of rendering files to a no longer able to be opened state on your computer is done in the same way as the previous Cerber ransomware variant. This is performed by changing the file extensions and the names of the infected files, making them unable to be recognized. In the meantime, files that have been encrypted by the CRBR ENCRYPTOR appear like the following:

The files cannot be opened, because the ransomware uses the RSA-512 cipher in combination with RC4 encryption mode which replaces blocks of data from the original files with blocks of encrypted data. The virus then, creates two types of RSA keys – public and private, the private of which is very difficult to factorize. Both keys are needed in order to decrypt the files. The Public key could eventually be factorized by using software and taylor-made scripts, such as Python, but after this, it is very difficult to calculate what is the private key. What is more the RSA keys may be different for each file, meaning that it may take a long time to decrypt each file.

Just like the other versions of the CRBR ENCRYPTOR virus, this one also attacks the most widely used file types, while in the same time avoiding critical Windows folders, that may break your OS:

→ ” .123″, ” .1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.602”, “.7z”, “.7zip”, “.aac”, “.ab4”, “.abd”, “.acc”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adp”, “.ads”, “.aes”, “.agdl”, “.ai”, “.aiff”, “.ait”, “.al”, “.aoi”, “.apj”, “.apk”, “.arc”, “.arw”, “.ascx”, “.asf”, “.asm”, “.asp”, “.aspx”, “.asset”, “.asx”, “.atb”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.bak”, “.bank”, “.bat”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bin”, “.bkp”, “.blend”, “.bmp”, “.bpw”, “.brd”, “.bsa”, “.bz2”, “.c”, “.cash”, “.cdb”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfg”, “.cfn”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmd”, “.cmt”, “.config”, “.contact”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cry”, “.cs”, “.csh”, “.csl”, “.csr”, “.css”, “.csv”, “.d3dbsp”, “.dac”, “.das”, “.dat”, “.db”, “.db3”, “.db_journal”, “.dbf”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.def”, “.der”, “.des”, “.design”, “.dgc”, “.dgn”, “.dif”, “.dip”, “.dit”, “.djv”, “.djvu”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dwg”, “.dxb”, “.dxf”, “.dxg”, “.edb”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flb”, “.flf”, “.flv”, “.forge”, “.fpx”, “.frm”, “.fxg”, “.gbr”, “.gho”, “.gif”, “.gpg”, “.gray”, “.grey”, “.groups”, “.gry”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hpp”, “.html”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.incpas”, “.indd”, “.info”, “.info_”, “.iwi”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jpeg”, “.jpg”, “.js”, “.json”, “.k2p”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.lbf”, “.lck”, “.ldf”, “.lit”, “.litemod”, “.litesql”, “.lock”, “.ltx”, “.lua”, “.m”, “.m2ts”, “.m3u”, “.m4a”, “.m4p”, “.m4u”, “.m4v”, “.ma”, “.mab”, “.map “.max”, “.mbx”, “.md”, “.mdb”, “.mdc”, “.mdf”, “.mef”, “.mfw”, “.mid”, “.mkv”, “.mlb”, “.mml”, “.mmw”, “.mny”, “.money”, “.moneywell”, “.mos”, “.mov”, “.mp3”, “.mp4”, “.mpeg”, “.mpg”, “.mrw”, “.ms11”, “.msf”, “.msg”, “.mts”, “.myd”, “.myi”, “.nd”, “.ndd”, “.ndf”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.ogg”, “.oil”, “.omg”, “.one”, “.onenotec2”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7b”, “.p7c”, “.pab”, “.pages”, “.paq”, “.pas”, “.pat”, “.pbf”, “.pcd”, “.pct”, “.pdb”, “.pdd”, “.pdf”, “.pef”, “.pem”, “.pfx”, “.php”, “.pif”, “.pl”, “.plc”, “.plus_muhd”, “.pm”, “.pm!”, “.pmi”, “.pmj”, “.pml”, “.pmm”, “.pmo”, “.pmr”, “.pnc”, “.pnd”, “.png”, “.pnx”, “.pot”, “.potm”, “.potx”, “.ppam”, “.pps”, “.ppsm”, “.ppsx”, “.ppt”, “.pptm”, “.pptx”, “.prf”, “.private”, “.ps”, “.psafe3”, “.psd”, “.pspimage”, “.pst”, “.ptx”, “.pub”, “.pwm”, “.py”, “.qba”, “.qbb”, “.qbm”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.qcow”, “.qcow2”, “.qed”, “.qtb”, “.r3d”, “.raf”, “.rar”, “.rat”, “.raw”, “.rb”, “.rdb”, “.re4”, “.rm”, “.rtf”, “.rvt”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.safe”, “.sas7bdat”, “.sav”, “.save”, “.say”, “.sch”, “.sd0”, “.sda”, “.sdb”, “.sdf”, “.secret”, “.sh”, “.sldm”, “.sldx”, “.slk”, “.slm”, “.sql”, “.sqlite”, “.sqlite-shm”, “.sqlite-wal”, “.sqlite3”, “.sqlitedb”, “.sr2”, “.srb”, “.srf”, “.srs”, “.srt”, “.srw”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.stc”, “.std”, “.sti”, “.stl”, “.stm”, “.stw”, “.stx”, “.svg”, “.swf”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxm”, “.sxw”, “.tar”, “.tax”, “.tbb”, “.tbk”, “.tbn”, “.tex”, “.tga”, “.tgz”, “.thm”, “.tif”, “.tiff”, “.tlg”, “.tlx”, “.txt”, “.uop”, “.uot”, “.upk”, “.usr”, “.vb”, “.vbox”, “.vbs”, “.vdi”, “.vhd”, “.vhdx”, “.vmdk”, “.vmsd”, “.vmx”, “.vmxf”, “.vob”, “.vpd”, “.vsd”, “.wab”, “.wad”, “.wallet”, “.war”, “.wav”, “.wb2”, “.wk1”, “.wks”, “.wma”, “.wmf”, “.wmv”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xis”, “.xla”, “.xlam”, “.xlc”, “.xlk”, “.xlm”, “.xlr”, “.xls”, “.xlsb”, “.xlsm”, “.xlsx”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.xml”, “.xps”, “.xxx”, “.ycbcra” “.yuv”, “.zip”

The CRBR ENCRYPTOR may skip the following types of folders to avoid encrypting files in them:

\\documents and settings\\all users\\documents\\
\\microsoft sql server\\
\\the bat!\\

After an encryption with CRBR ENCRYPTOR is done, the virus drops it’s ransom note and also changes the wallpaper on the infected computer. In the wallpaper, there are instructions on how to pay the ransom by visiting the well-known Cerber Decryptor web page for ransom payoff. It demands from victims the sum of 0.5 BTC (BitCoins) in order to get the files decrypted. The page looks somewhat like the following:

However, paying the cyber-crooks is highly inadvisable as it may:

Not get your files back.
Support the cyber-criminals to further develop the virus.

Removal of CRBR ENCRYPTOR Ransomware and File Restoration

In order to remove this infection from your computer, the first thing you should do is backup the encrypted files, just in case free decryption is available in the future. From there, you can proceed into removing this malware from your computer by following the instructions below. Bear in mind, however that manual removal may be risky for your computer, since CRBR ENCRYPTOR interferes with multiple system files, the removal of which may permanently break your Windows. This is why, experts strongly recommend to use an advanced anti-malware program in order to automatically and safely removal all related threats to this malware.

For the file restoration, we have managed to gather several alternative methods by which you can try and restore at least some of your files. But bear in mind to only try the methods with copies of the encrypted files, just in case. The methods are located in step “2. Restore files encrypted by CRBR ENCRYPTOR” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share