Cry (Central Security) Virus Remove and Restore .cry Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Cry (Central Security) Virus Remove and Restore .cry Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Cry Ransomware and other threats.
Threats such as Cry Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

cry-ransomware-main-sensorstechforumA virus pretending to be the CSTO, called Cry ransomware had been reported to use RSA-4096 and the .cry file extension to encrypt the files of computers infected by it. The virus wants it’s victims to pay the different sum, depending on the files. The ransom payoff which victims should pay the cyber criminals is usually in the range of 0.27 to 1.14 BTC (BitCoin). After the encryption has been performed, the cyber criminals give users a deadline of 100 hours to pay the ransom or they will double the amount. Users are strongly advised not to pay any ransom money set by Cry Ransomware in case they have been attacked. Instead, we recommend reading this article to learn how to neutralize this threat and attempt to restore your files.

Threat Summary

NameCry Ransomware
TypeRansomware
Short DescriptionThe ransomware encrypts files with the RSA-4096 cipher and requests a ransom payoff up to 650 USD for the user to grant access back to the files.
SymptomsAfter encryption the Cry ransomware steals adds the .cry extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Cry Ransomware

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Cry Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cry Ransomware – How It Spreads

For it to infect more and more users on a daily basis, Cry ransomware aims to slither files that pretend to be original Microsoft Office, Adobe Reader or other types of documents or legitimate file formats. Such files may be redistributed on shady websites, uploaded as fake setups or fake documents that the user may be surfing the web for. They may also be pushed aggressively as a part of massive spam e-mail campaigns that replicates the Cry Ransomware’s files as attachments to convincing messages and topics of the e-mail to fool inexperienced users. Here are some examples of e-mail topics that may carry a malicious attachment or web link both containing Cry Ransomware:

  • “Your Purchase Is Complete.”
  • “Your Debit Card Has Been Closed.”
  • “The funds have been withdrawn.”

Cry Ransomware – What Does It Do

As soon as Cry Ransomware has infected your computer, the virus may begin to drop it’s payload. This may happen in several different ways:

  • By directly connecting to a remote host and downloading the malicious file (s).
  • By directly having the payload on your computer.
  • By having other malware such as Trojan.Downloader on your computer that can download the files.
  • By activating a .js(fileless ransomware) file.

As soon as it has been activated on your computer, the Cry virus may drop the following files:

  • !Recovery_{user id number with letters}.txt
  • !Recovery_{user id number with letters}.html
  • {malicious payload}.exe

All of the files may have copies in the %Startup% folder of windows or may have values strings in the following Windows Registry keys to run on system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

As soon as this has been done and the Cry virus is activated, it may immediately create a folder, named “old_shortcuts” on your desktop where it moves the files it encrypts.

The Cry virus is pre-programmed to encrypt approximately 650 file types. Here is a small portion of the files it looks for and encrypts:

→ .#vc, .$ac, ._vc, .00c, .07g, .07i, .08i, .09i, .09t, .10t, .11t, .123, .13t, .1pa, .1pe, .2011, .2012, .2013, .2014, .2015, .2016, .2017, .210, .3dm, .3ds, .3g2, .3gp, .3me, .3pe, .500, .7z, .aac, .aaf, .ab4, .ac2, .acc, .accd, .ach, .aci, .acm, .acr, .aep, .aepx, .aes, .aet, .afm, .ai, .aif, .ami, .arc, .as, .as3,.asc, .asf, .asm, .asp, .asx, .ati, .avi, .back, .bak, .bat, .bay, .bc8,.bc9, .bd2, ., .h, .h10, .h11, .h12, .hbk, .hif, .hpp, .hsr, .html, .hts, .hwp, .i2b, .iban, .ibd, .ico, .idml, .iff, .iif, .img, .imp, .indb, .indd, .indl, .indt, .ini, .int?, .intu, .inv, .inx, .ipe, .ipg, .itf, .jar, .java, .jnq, .jp2, .jpeg, .jpg, .js, .jsd, .jsda, .jsp, .kb7, .kd3, .kdc, .key, .kmo, .kmy, .lay, .lay6, .lcd, .ldc, .ldf, .ldr, .let, .lgb, .lhr, .lid, .lin, .lld, .lmr, .log, .lua, .lz, .m, .m10, .m11, .m12, .m14, .m15, .m16, .m3u, .m3u8, .m4a, .m4v, .mac, .max, .mbsb, .md, .mda, .mdb, .mdf, .mef, .mem, .met, .meta, .mhtm, .mid, .mkv, .ml2, .ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, .mn2, .mn3, .mn4, .mn5, .mn6, .mn7, .mn8, .mn9, .mne, .mnp, .mny, .mone, .mov, .mp2, .mp3, .mp4, .mpa, .mpe, .mpeg, .mpg, .mql, .mrq, .ms11, .msg, .mwi, .mws, .mx0, .myd, .mye, .myi, .myox, .n43, .nap, .nd, .nef, .nl2,.nni, .npc, .nv, .nv2, .oab, .obi, .odb, .ode, .odg,.odm, .odp, .ods, .odt, .oet, .ofc, .ofx, .old, .omf, .op, .orf, .ost, .otg, .otp, .ots, .ott, .p08, .p12, .p7b, .p7c, .paq, .pas, .pat, .pcd, .pcif, .pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pem, .per, .pfb, .pfd, .pfx, .pg, .php, .pic, .pl, .plb, .pls, .plt, .pma, .pmd, .pnq, .pns, .por, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, .prel, .prf, .prn, .prpr, .ps, .psd, .psp, .pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pxa, .py, .q00, .q01, .q06, .q07, .q08, .q09, .q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, .qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qbz, .qcn, .qcow, .qdf, .qdfx, .qdt, .qel, .qem, ..vbs, .vcf, .vdf, .vdi, .vmb, .vmdk, .vmx, .vnd, .vob, .vsd, .vyp, .vyr, .wac, .wav, .wb2, .wi, .wk1, .wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, .wpg, .wps, .x3f, .xaa, .xcf, .xeq, .xhtm, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .yuv, .zdb, .zip, .zipx, .zix, .zka (and others…)

This vast array of files, if detected, are encrypted with a very strong RSA-4096 encryption cipher, the decryption for which may take a lot of time, if the computer decrypting it doesn’t break by then.

The scrambled files cannot be opened by any software and contain the .Cry file extension, for example:

cry-ransomware-encrypted-file-sensorstechforum

The .txt and .html file may automatically present themselves to the user displaying the Cry ransomware’s ransom payoff instructions:

cry-ransomware-ransom-note-sensorstechforum

Remove Cry Ransomware and Restore .cry Encrypted Files

Malware researchers strongly advise against paying off the black hat hackers behind this virus. Instead, it is recommended to remove this virus and wait for a decrypter to be released while you try to restore your files using the instructions below.

To remove Cry Ransomware and try to restore your files, follow the step-by-step tutorial after this article. We also advise you to wait for an update on this article as soon as a free file decrypter for Cry Ransomware has been released.

Note! Your computer system may be affected by Cry Ransomware and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Cry Ransomware.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Cry Ransomware follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Cry Ransomware files and objects
2. Find files created by Cry Ransomware on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Cry Ransomware

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...