CryForMe Ransomware – Remove It and Restore .Cfm Files

CryForMe Ransomware – Remove It and Restore .Cfm Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you remove CryForMe ransomware absolutely. Follow the ransomware removal instructions at the end of this article.

CryForMe is a ransomware cryptovirus which imitates WannaCry and it appears it is in its final stages of development. The ransomware is a variant of HiddenTear and places the extension .cfm after encryption to all files which get locked. The CryForMe virus will demand a ransom sum of 250 euros. Keep reading below to see how you could try to potentially restore some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .cfm to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CryForMe


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryForMe.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryForMe Ransomware – Infection

CryForMe ransomware could spread its infection with various methods. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your PC will become infected. You can see the detections of such a file on the VirusTotal service right here:

CryForMe ransomware might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware found in our forums.

CryForMe Ransomware – A Closer Look

CryForMe is a virus that could encrypt your files and extort you to pay a ransom to get them back to normal. Malware reserachers have discovered that it is still in a developmental stage, but it could probably get released soon. The ransomware is a variant of the HiddenTear project.

CryForMe ransomware might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

See the ransom note that displays after the completion of the encryption:

That ransom note reads the following:

Your file have been ENCRYPTED !!!
-What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
-Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
If you want to decrypt all your files, you need to pay.
You only have 7 days to submit the payment. After that the price will be doubled.
Once the price doubled you have other 7 day for pay, otherside the price will be very high.
How Do I Pay?
Payment is accepted in Bitcoin only.
Please check the current price of Bitcoin and buy some bitcoins.
And send the correct amount to the address specified in this window.
In the payment description insert your name, your PC name, and your email (so we can send you the password.
-What happens after the payment?
After the payments we send you the password for the decrypt.
You have to click “Decrypt” button and insert the password; after this you have your files back.
Send 250 € to this BITCOIN address:
19Roobh13zMQ9iNbN7GiaoSzbdkAiMRw7c Copy

The note of the CryForMe ransomware states that your files are encrypted. A ransom sum of 250 euros is demanded as payment for potentially unlocking your files. However, you should NOT under any circumstances pay the ransom. Your files may not get restored, and nobody could give you a guarantee for that. Moreover, giving money to cybercriminals will likely motivate them to create more ransomware or do similar criminal activities.

CryForMe Ransomware – Encryption Process

As CryForMe ransomware is a HiddenTear variant it could seek to encrypt files with the following extensions:

→.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

All of the files that get encrypted will receive the same extension appended to them, and that is: .cfm or at least that’s currently what is set in the code of this virus. The encryption algorithm which is implemented is undoubtedly AES since it is a HiddenTear variant, but more algorithms could be added, too.

The CryForMe cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the command stated above is executed that would make the encryption process more efficient as it will eliminate one of the ways for restoring your data. If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially recover your files.

Remove CryForMe Ransomware and Restore .cfm Files

If your computer got infected with the CryForMe ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share