CRBR ENCRYPTOR Virus – Remove and Restore Files
THREAT REMOVAL

CRBR ENCRYPTOR Ransomware Virus – Remove and Restore Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by CRBR ENCRYPTOR and other threats.
Threats such as CRBR ENCRYPTOR may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Article, created with the purpose to show how to remove CRBR ENCRYPTOR ransomware virus and restore files encrypted by this infection on your PC.

Every time the cyber-crimnals who have created the Cerber ransomware infection update their virus, they make slight changes to it. This time it is the name and they are calling it CRBR ENCRYPTOR. The virus aims to encrypt the files on the computers that have been infected by this threat after which demand a hefty ransom payoff in order to get the encrypted data restored back to it’s working state. If your computer has been infected by this ransomware type of virus, we urge you to read the following post.

Threat Summary

NameCRBR ENCRYPTOR
TypeRansomware Virus
Short DescriptionThis Cerber ransomware variant encrypts files with the RSA-512 cipher and an RC4 encryption algorithm adding four randomly generated A-Z 0-9 characters(ex. .b43s) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. A ransom note with instructions for paying the ransom shows as a “_R_E_A_D___T_H_I_S___{RANDOM}_” file. Also may add the following audio message after encryption:
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Detection Tool See If Your System Has Been Affected by CRBR ENCRYPTOR

Download

Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User ExperienceJoin our forum to Discuss Cerber Ransomware.

CRBR ENCRYPTOR Ransowmare – Update September 2017

CRBR ENCRYPTOR, which is the current variant of the Cerber ransomware has been reported to use the Magnitude Exploit Kit by malware researchers. The malware has decreased its infection campaigns, but is expected for new ones to appear. Cerber ransomware keeps coming back, after some time has passed, so there will be no surprise if a new version is distributed soon. Keep your backups up to date as this malware is one of the most dangerous ones, since no decryption is made for its latest iterations.

How Does CRBR ENCRYPTOR Cause an Infection

The CRBR ENCRYPTOR ransomware uses a very specific method to replicate – blank slate e-mail spam message. Such messages contain no message what so ever and only have the malicious e-mail attachment embedded within them. The attachments are usually carrying various different types of files which could be modified into the infection file. These files are:

  • .docm and .doc Microsoft Word documents with malicious macros.
  • .js and .wsf JavaScript files.
  • .pdf files which extract the abovementioned Microsoft Word documents.

As soon as the victim opens the malicious attachments of the ransomware infection, the malicious files of the malware are dropped on the computer. The files are located In various Windows folders, for instance:

CRBR ENCRYPTOR – Infection Activity

After an infection with CRBR ENCRYPTOR takes place, the virus naturally drops a ransom note in both .hta and .txt file, named “_R_E_A_D___T_H_I_S___{RANDOM}_” where the random code represents a unique identifier for the specific infection performed by the ransomware. The CRBR ENCRYPTOR malware also has multiple other functions within the malicious files it drops on your computer. The ransomware infection initially modifies the internal process of Windows in order to allow uninterrupted activation. One of the activities it performs is to modify the following system files in Windows:

  • wscript.exe
  • WScript.exe
  • Mui
  • Sortdefault.nls
  • Wshom.ocx
  • Stdole2.tlb
  • KERNELBASE.dll.mui
  • Msxml3.dll

After having done this, CRBR ENCRYPTOR creates multiple different registry entries in the Windows Registry Editor. It attacks the following registry sub-keys:

→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
→HKEY_LOCAL_MACHINE\Software\Classes
→HKEY_CURRENT_USER\Software\Classes
→HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

After having done this, CRBR ENCRYPTOR ransomware may also establish connection with multiple foreign hosts.

The virus’s payload files consist of three executable types of files, one of which has a single digit as a name, like 1.exe, another one with three digits, like 222.exe and one with random digits and numbers, for example 12sd32.exe. In addition to those, it also drops two .dat support modules, called read.php and user.php.

Then, the CRBR ENCRYPTOR ransomware virus may activate functions withing those files that perform various malicious activities:

  • Dropped files that seem legitimate.
  • Reads trusted programs list in your Windows.
  • Searches for various processes which are actively running after which spaws new processes inserting them in Windows Task Manager. The processes are concealed and have seemingly legitimate names, for example svchost.exe, like the original process name.

CRBR ENCRYPTOR – The Encryption

The procedure of rendering files to a no longer able to be opened state on your computer is done in the same way as the previous Cerber ransomware variant. This is performed by changing the file extensions and the names of the infected files, making them unable to be recognized. In the meantime, files that have been encrypted by the CRBR ENCRYPTOR appear like the following:

The files cannot be opened, because the ransomware uses the RSA-512 cipher in combination with RC4 encryption mode which replaces blocks of data from the original files with blocks of encrypted data. The virus then, creates two types of RSA keys – public and private, the private of which is very difficult to factorize. Both keys are needed in order to decrypt the files. The Public key could eventually be factorized by using software and taylor-made scripts, such as Python, but after this, it is very difficult to calculate what is the private key. What is more the RSA keys may be different for each file, meaning that it may take a long time to decrypt each file.

Just like the other versions of the CRBR ENCRYPTOR virus, this one also attacks the most widely used file types, while in the same time avoiding critical Windows folders, that may break your OS:

→ ” .123″, ” .1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.602”, “.7z”, “.7zip”, “.aac”, “.ab4”, “.abd”, “.acc”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adp”, “.ads”, “.aes”, “.agdl”, “.ai”, “.aiff”, “.ait”, “.al”, “.aoi”, “.apj”, “.apk”, “.arc”, “.arw”, “.ascx”, “.asf”, “.asm”, “.asp”, “.aspx”, “.asset”, “.asx”, “.atb”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.bak”, “.bank”, “.bat”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bin”, “.bkp”, “.blend”, “.bmp”, “.bpw”, “.brd”, “.bsa”, “.bz2”, “.c”, “.cash”, “.cdb”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfg”, “.cfn”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmd”, “.cmt”, “.config”, “.contact”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cry”, “.cs”, “.csh”, “.csl”, “.csr”, “.css”, “.csv”, “.d3dbsp”, “.dac”, “.das”, “.dat”, “.db”, “.db3”, “.db_journal”, “.dbf”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.def”, “.der”, “.des”, “.design”, “.dgc”, “.dgn”, “.dif”, “.dip”, “.dit”, “.djv”, “.djvu”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dwg”, “.dxb”, “.dxf”, “.dxg”, “.edb”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flb”, “.flf”, “.flv”, “.forge”, “.fpx”, “.frm”, “.fxg”, “.gbr”, “.gho”, “.gif”, “.gpg”, “.gray”, “.grey”, “.groups”, “.gry”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hpp”, “.html”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.incpas”, “.indd”, “.info”, “.info_”, “.iwi”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jpeg”, “.jpg”, “.js”, “.json”, “.k2p”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.lbf”, “.lck”, “.ldf”, “.lit”, “.litemod”, “.litesql”, “.lock”, “.ltx”, “.lua”, “.m”, “.m2ts”, “.m3u”, “.m4a”, “.m4p”, “.m4u”, “.m4v”, “.ma”, “.mab”, “.map “.max”, “.mbx”, “.md”, “.mdb”, “.mdc”, “.mdf”, “.mef”, “.mfw”, “.mid”, “.mkv”, “.mlb”, “.mml”, “.mmw”, “.mny”, “.money”, “.moneywell”, “.mos”, “.mov”, “.mp3”, “.mp4”, “.mpeg”, “.mpg”, “.mrw”, “.ms11”, “.msf”, “.msg”, “.mts”, “.myd”, “.myi”, “.nd”, “.ndd”, “.ndf”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.ogg”, “.oil”, “.omg”, “.one”, “.onenotec2”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7b”, “.p7c”, “.pab”, “.pages”, “.paq”, “.pas”, “.pat”, “.pbf”, “.pcd”, “.pct”, “.pdb”, “.pdd”, “.pdf”, “.pef”, “.pem”, “.pfx”, “.php”, “.pif”, “.pl”, “.plc”, “.plus_muhd”, “.pm”, “.pm!”, “.pmi”, “.pmj”, “.pml”, “.pmm”, “.pmo”, “.pmr”, “.pnc”, “.pnd”, “.png”, “.pnx”, “.pot”, “.potm”, “.potx”, “.ppam”, “.pps”, “.ppsm”, “.ppsx”, “.ppt”, “.pptm”, “.pptx”, “.prf”, “.private”, “.ps”, “.psafe3”, “.psd”, “.pspimage”, “.pst”, “.ptx”, “.pub”, “.pwm”, “.py”, “.qba”, “.qbb”, “.qbm”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.qcow”, “.qcow2”, “.qed”, “.qtb”, “.r3d”, “.raf”, “.rar”, “.rat”, “.raw”, “.rb”, “.rdb”, “.re4”, “.rm”, “.rtf”, “.rvt”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.safe”, “.sas7bdat”, “.sav”, “.save”, “.say”, “.sch”, “.sd0”, “.sda”, “.sdb”, “.sdf”, “.secret”, “.sh”, “.sldm”, “.sldx”, “.slk”, “.slm”, “.sql”, “.sqlite”, “.sqlite-shm”, “.sqlite-wal”, “.sqlite3”, “.sqlitedb”, “.sr2”, “.srb”, “.srf”, “.srs”, “.srt”, “.srw”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.stc”, “.std”, “.sti”, “.stl”, “.stm”, “.stw”, “.stx”, “.svg”, “.swf”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxm”, “.sxw”, “.tar”, “.tax”, “.tbb”, “.tbk”, “.tbn”, “.tex”, “.tga”, “.tgz”, “.thm”, “.tif”, “.tiff”, “.tlg”, “.tlx”, “.txt”, “.uop”, “.uot”, “.upk”, “.usr”, “.vb”, “.vbox”, “.vbs”, “.vdi”, “.vhd”, “.vhdx”, “.vmdk”, “.vmsd”, “.vmx”, “.vmxf”, “.vob”, “.vpd”, “.vsd”, “.wab”, “.wad”, “.wallet”, “.war”, “.wav”, “.wb2”, “.wk1”, “.wks”, “.wma”, “.wmf”, “.wmv”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xis”, “.xla”, “.xlam”, “.xlc”, “.xlk”, “.xlm”, “.xlr”, “.xls”, “.xlsb”, “.xlsm”, “.xlsx”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.xml”, “.xps”, “.xxx”, “.ycbcra” “.yuv”, “.zip”

The CRBR ENCRYPTOR may skip the following types of folders to avoid encrypting files in them:

\\documents and settings\\all users\\documents\\
\\appdata\\roaming\\microsoft\\office\\
\\excel\\
\\microsoft sql server\\
\\onenote\\
\\outlook\\
\\powerpoint\\
\\steam\\
\\the bat!\\
\\thunderbird\\

After an encryption with CRBR ENCRYPTOR is done, the virus drops it’s ransom note and also changes the wallpaper on the infected computer. In the wallpaper, there are instructions on how to pay the ransom by visiting the well-known Cerber Decryptor web page for ransom payoff. It demands from victims the sum of 0.5 BTC (BitCoins) in order to get the files decrypted. The page looks somewhat like the following:

However, paying the cyber-crooks is highly inadvisable as it may:

Not get your files back.
Support the cyber-criminals to further develop the virus.

Removal of CRBR ENCRYPTOR Ransomware and File Restoration

In order to remove this infection from your computer, the first thing you should do is backup the encrypted files, just in case free decryption is available in the future. From there, you can proceed into removing this malware from your computer by following the instructions below. Bear in mind, however that manual removal may be risky for your computer, since CRBR ENCRYPTOR interferes with multiple system files, the removal of which may permanently break your Windows. This is why, experts strongly recommend to use an advanced anti-malware program in order to automatically and safely removal all related threats to this malware.

For the file restoration, we have managed to gather several alternative methods by which you can try and restore at least some of your files. But bear in mind to only try the methods with copies of the encrypted files, just in case. The methods are located in step “2. Restore files encrypted by CRBR ENCRYPTOR” below.

Note! Your computer system may be affected by CRBR ENCRYPTOR and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as CRBR ENCRYPTOR.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove CRBR ENCRYPTOR follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove CRBR ENCRYPTOR files and objects
2. Find files created by CRBR ENCRYPTOR on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by CRBR ENCRYPTOR

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...