.crptd File Virus – Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

.crptd File Virus – Remove and Restore Files

This post has been created to show you (i) how to remove Naampa ransomware virus from your computer and (ii) how to restore .crptd files.

A ransomware virus, known as Naampa ransomware has been spotted to encrypt important files in the computers it infects, adding the .crptd file extension after their file names. The virus aims to drop it’s ransom note, named !—-README—-!.jpg which notifies the victims that their files are encrypted via RSA-2048 encryption algorithm and they must contact the crooks via TOR browser and make a ransom payment in return for their files. If you have become an unfortunate victim of the .crptd file virus, we advise reading the following material.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer possibly with RSA-2048 and then demands a ransom payoff to get them back.
SymptomsFiles are encrypted with an added .crptd file extension to them. A ransom note, named !—-README—-!.jpg Is added to the infected computer.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .crptd


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .crptd.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Naampa .crptd Virus – How Did I Get Infected With It

The primary infection method of viruses like the Naampa .crptd ransomware is via e-mail. Since this virus is primarily written in Russian language, the cyber-criminals may have targeted widely used e-mail providers such as mail.ru accounts. The spam messages distributing the .crptd virus may have e-mail attachments which aim for one thing and one thing only – to trick you into opening the attachment.

The attachments are created with the one and only purpose to deceive victims into opening them. They often pretend to be invoices, receipts, bank statements. The most aggressive ones even claim that there is a suspicious activity on your bank account to get you to open the e-mail attachments embedded. Here is an example of such message:

Besides this main method by which over 80% of ransomware viruses are spread, the Naampa virus may also exist in an uploaded form on suspicious websites. It may pose as a fake setup, fraudulent system update, fake game crack or program activator, etc.

More Information About .crptd File Virus

After you have clicked on the malicious attachment, it may infect your computer by connecting to a remote location and using unsecured port to download the malicious payload of the .crpd threat. It consists primarily of the following files;

  • naampa.exe
  • Mmspert.exe
  • Key.res
  • PH0246U.BMP
  • !—-README—-!.jpg

The key.res and the “read me” file are located in the default documents of your profile folder, whereas the naampa.exe and mmspert.exe files may be located in other system folders, among which are:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

Even though it has not been confirmed, the .crptd file virus may extract other files that may be under random names, called modules and these may also be located in the abovementioned folders. To download the payload, the malware may use the following domain:

→ schemas.openxmlformats.org/drawingml/2006/main

When you enter the second address, which is also featured in the ransom note, you are taken to the primary web page of the virus, which provides the e-mail of the cyber-criminals, which is:

→ unlckr@protonmail.com

Among the activities of the .crptd ransomware virus is to delete the shadow volume copies of the infected computer. This happens by executing a hidden command on your computer without you even noticing. The command is the following:

→ vssadmin.exe delete shadows /all /quiet

This command may not be noticed by the victim and it may also be accompanied by other commands that may disable system recovery as well as shut down Windows Backup Service.

The main ransom note of the !—-README—-!.jpg file has been created with a Russian ransom note in general and it translates to the following message:

“Your files are encrypted using the RSA-2048 algorithm.
If you want to return them, send one of the encrypted files and key.res file to e-mail:
If you do not receive a reply within 24 hours or the letter is returned with an error, then download from the site www.torproject.com browser TOR and with his help go to the site
n3r2kuzhw2h7x6j5.onion – there will be specified a valid mailbox.
Attempts to repair files yourself can irrevocably ruin them!”

How Does Naampa Ransomware Encrypt Files

For the encryption process, the .crptd file virus claims to use RSA-2048 encryption algorithm, which is a strong and stable cipher and it’s core competence is that it generates set of private and public decryption key. Each of the keys the .crptd ransomware has generated is unique, meaning that if there is no decryption flaw which can allow for researchers to discover a master key, it may take years to get your files restored back to normal.

The files which are targeted by the .crptd file virus may have the following file extensions:


After this has occurred, the ransomware virus adds the .crptd file extension to the encrypted files. They begin to appear like the following:

Remove .crptd File Virus you’re your Computer and Restore Data

If you are a victim of the .crptd file virus, we advise you to go ahead and backup all your encrypted files for if a decrypter is released in the future. Then you can proceed to contain the damage done by this infection by removing it. This is achievable by following the removal instructions for .crptd file virus below. They are specifically designed to help you delete this virus either manually or automatically. Since the .crptd file virus tampers with key components of Windows, we recommend users to download and install the proper anti-malware software to fully remove the .crptd ransomware from your computer.

After the virus has been removed, to help you restore as many files as you can, we have designed alternative instructions under the name “Restore files encrypted by .crptd File Virus” below. They are some indirect methods with which you can recover at least some of your files. But make sure to first make a backup and try them at your own risk with copies of your files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share