Cry (Central Security) Virus Remove and Restore .cry Files - How to, Technology and PC Security Forum |

Cry (Central Security) Virus Remove and Restore .cry Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

cry-ransomware-main-sensorstechforumA virus pretending to be the CSTO, called Cry ransomware had been reported to use RSA-4096 and the .cry file extension to encrypt the files of computers infected by it. The virus wants it’s victims to pay the different sum, depending on the files. The ransom payoff which victims should pay the cyber criminals is usually in the range of 0.27 to 1.14 BTC (BitCoin). After the encryption has been performed, the cyber criminals give users a deadline of 100 hours to pay the ransom or they will double the amount. Users are strongly advised not to pay any ransom money set by Cry Ransomware in case they have been attacked. Instead, we recommend reading this article to learn how to neutralize this threat and attempt to restore your files.

Threat Summary

NameCry Ransomware
Short DescriptionThe ransomware encrypts files with the RSA-4096 cipher and requests a ransom payoff up to 650 USD for the user to grant access back to the files.
SymptomsAfter encryption the Cry ransomware steals adds the .cry extension after every file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Cry Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss Cry Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cry Ransomware – How It Spreads

For it to infect more and more users on a daily basis, Cry ransomware aims to slither files that pretend to be original Microsoft Office, Adobe Reader or other types of documents or legitimate file formats. Such files may be redistributed on shady websites, uploaded as fake setups or fake documents that the user may be surfing the web for. They may also be pushed aggressively as a part of massive spam e-mail campaigns that replicates the Cry Ransomware’s files as attachments to convincing messages and topics of the e-mail to fool inexperienced users. Here are some examples of e-mail topics that may carry a malicious attachment or web link both containing Cry Ransomware:

  • “Your Purchase Is Complete.”
  • “Your Debit Card Has Been Closed.”
  • “The funds have been withdrawn.”

Cry Ransomware – What Does It Do

As soon as Cry Ransomware has infected your computer, the virus may begin to drop it’s payload. This may happen in several different ways:

  • By directly connecting to a remote host and downloading the malicious file (s).
  • By directly having the payload on your computer.
  • By having other malware such as Trojan.Downloader on your computer that can download the files.
  • By activating a .js(fileless ransomware) file.

As soon as it has been activated on your computer, the Cry virus may drop the following files:

  • !Recovery_{user id number with letters}.txt
  • !Recovery_{user id number with letters}.html
  • {malicious payload}.exe

All of the files may have copies in the %Startup% folder of windows or may have values strings in the following Windows Registry keys to run on system startup:


As soon as this has been done and the Cry virus is activated, it may immediately create a folder, named “old_shortcuts” on your desktop where it moves the files it encrypts.

The Cry virus is pre-programmed to encrypt approximately 650 file types. Here is a small portion of the files it looks for and encrypts:

→ .#vc, .$ac, ._vc, .00c, .07g, .07i, .08i, .09i, .09t, .10t, .11t, .123, .13t, .1pa, .1pe, .2011, .2012, .2013, .2014, .2015, .2016, .2017, .210, .3dm, .3ds, .3g2, .3gp, .3me, .3pe, .500, .7z, .aac, .aaf, .ab4, .ac2, .acc, .accd, .ach, .aci, .acm, .acr, .aep, .aepx, .aes, .aet, .afm, .ai, .aif, .ami, .arc, .as, .as3,.asc, .asf, .asm, .asp, .asx, .ati, .avi, .back, .bak, .bat, .bay, .bc8,.bc9, .bd2, ., .h, .h10, .h11, .h12, .hbk, .hif, .hpp, .hsr, .html, .hts, .hwp, .i2b, .iban, .ibd, .ico, .idml, .iff, .iif, .img, .imp, .indb, .indd, .indl, .indt, .ini, .int?, .intu, .inv, .inx, .ipe, .ipg, .itf, .jar, .java, .jnq, .jp2, .jpeg, .jpg, .js, .jsd, .jsda, .jsp, .kb7, .kd3, .kdc, .key, .kmo, .kmy, .lay, .lay6, .lcd, .ldc, .ldf, .ldr, .let, .lgb, .lhr, .lid, .lin, .lld, .lmr, .log, .lua, .lz, .m, .m10, .m11, .m12, .m14, .m15, .m16, .m3u, .m3u8, .m4a, .m4v, .mac, .max, .mbsb, .md, .mda, .mdb, .mdf, .mef, .mem, .met, .meta, .mhtm, .mid, .mkv, .ml2, .ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, .mn2, .mn3, .mn4, .mn5, .mn6, .mn7, .mn8, .mn9, .mne, .mnp, .mny, .mone, .mov, .mp2, .mp3, .mp4, .mpa, .mpe, .mpeg, .mpg, .mql, .mrq, .ms11, .msg, .mwi, .mws, .mx0, .myd, .mye, .myi, .myox, .n43, .nap, .nd, .nef, .nl2,.nni, .npc, .nv, .nv2, .oab, .obi, .odb, .ode, .odg,.odm, .odp, .ods, .odt, .oet, .ofc, .ofx, .old, .omf, .op, .orf, .ost, .otg, .otp, .ots, .ott, .p08, .p12, .p7b, .p7c, .paq, .pas, .pat, .pcd, .pcif, .pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pem, .per, .pfb, .pfd, .pfx, .pg, .php, .pic, .pl, .plb, .pls, .plt, .pma, .pmd, .pnq, .pns, .por, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, .prel, .prf, .prn, .prpr, .ps, .psd, .psp, .pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pxa, .py, .q00, .q01, .q06, .q07, .q08, .q09, .q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, .qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qbz, .qcn, .qcow, .qdf, .qdfx, .qdt, .qel, .qem, ..vbs, .vcf, .vdf, .vdi, .vmb, .vmdk, .vmx, .vnd, .vob, .vsd, .vyp, .vyr, .wac, .wav, .wb2, .wi, .wk1, .wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, .wpg, .wps, .x3f, .xaa, .xcf, .xeq, .xhtm, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .yuv, .zdb, .zip, .zipx, .zix, .zka (and others…)

This vast array of files, if detected, are encrypted with a very strong RSA-4096 encryption cipher, the decryption for which may take a lot of time, if the computer decrypting it doesn’t break by then.

The scrambled files cannot be opened by any software and contain the .Cry file extension, for example:


The .txt and .html file may automatically present themselves to the user displaying the Cry ransomware’s ransom payoff instructions:


Remove Cry Ransomware and Restore .cry Encrypted Files

Malware researchers strongly advise against paying off the black hat hackers behind this virus. Instead, it is recommended to remove this virus and wait for a decrypter to be released while you try to restore your files using the instructions below.

To remove Cry Ransomware and try to restore your files, follow the step-by-step tutorial after this article. We also advise you to wait for an update on this article as soon as a free file decrypter for Cry Ransomware has been released.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share