.Crypted File Virus Updated - Restore Files (DECRYPT.txt) - How to, Technology and PC Security Forum | SensorsTechForum.com

.Crypted File Virus Updated – Restore Files (DECRYPT.txt)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This material is created to explain what is Crypted ransomware and help remove the virus files and restore files encoded with the .crypted file extension.

A ransomware infection, reported as a new version of Nemucod Ransomware that is spread via the same malicious e-mail spam used to spread Locky ransomware has appeared, infecting different Windows OS machines. Dubbed Nemucod or .Crypted virus, the ransomware infection may use an encryption algorithm to make the files on the infected computer no longer openable. The virus drops a DECRYPT.txt file in which it asks the victims to pay the sum of 0.23 BTC to get the files decrypted again. In case you have become a victim of the Crypted ransomware, advices are to read the following article carefully.

Threat Summary


.Crypted Virus

Short DescriptionThe user may witness a file “DECRYPT.txt” on his desktop and the ransom message to open in a text document every time Windows starts.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. The .crypted file extension is used.
Distribution MethodVia the notorious Kovter malicious e-mail spam carrying .zip email attachments.
Detection Tool See If Your System Has Been Affected by .Crypted Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss .Crypted Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Crypted File Virus – Infection Process

The infection of this virus is conducted via malicious e-mail spam, also known as malspam. Malware researcher at malware-traffic-analysis.net has reported that multiple malicious files are spread via e-mails that pretend to be customer service from post services. One particular e-mail was a fake UPS service mail with the following content:

Dear Customer,
Your item has arrived at the UPS Post Office at March 12, but the courirer was unable to deliver parcel to you!
Please check the attachment for complete details!
Best regards
Casey Pearson,
UPS Parcels Delivery Clerk.

These e-mails contain a malicious .zip file attachment, named UPS-Label-{random number}.zip. In it there is a file with the same name that is a malicious JavaScript, but tries to hide it by inserting the interfix .doc. The file ends in .doc.js, for example UPS-Label-{random number}.doc.js.

Once the user clicks on the malicious JavaScript file, the infection is immediate. The virus immediately inserts the script which in it’s turn connects to one or more distribution websites to transfer information from and to the infected computer. The malicious websits to which the virus connects are reported to have the following hosts:

The virus uses the port 80 for all communication of those domains.

After an infection is already conducted, the Crypted virus drops the following files on the infected computer.

  • A .bat file with a random name, for example f332.bat, located in a random named folder in the %Local% directory.
  • Another randomly named file in the same folder with unknown format.
  • A .doc file in the %Temp% folder, usually named with one latin letter.
  • A one letter .txt file in the same %Temp% folder.
  • Two more executable files in %Temp%, named with letter and number, for example b1.exe and b2.exe.

.Crypted File Ransomware – Post-Infection Activity

Once the Crypted ransomware causes an infection, it does not change the wallpaper, but rather drops and opens a .txt file, named DECRYPT.txt. This file is the virus ransom note and it aims to notify the user of the demands of the cyber-criminals who have infected the computer. The content of DECRYPT.txt is the following:


All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.21753 BTC (bitcoins).
Please follow this manual:

1. Create Bitcoin wallet here:


2. Buy 0.21753 BTC with cash, using search here:


3. Send 0.21753 BTC to this Bitcoin address:


4. Open one of the following links in your browser to download decryptor:


5. Run decryptor to restore your files.

– If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
– Nobody can help you except us.
– It`s useless to reinstall Windows, update antivirus software, etc.
– Your files can be decrypted only after you make payment.
– You can find this manual on your desktop (DECRYPT.txt).”

When one of the websites are visited, the page does not let the user, if the ransom is not paid, meaning that the cyber-criminals may use IP address whitelist and allow only the IP addresses of victims that have paid the ransom.

Among these activities, the Crypted ransomware infection may also perform other types of infection activities, like create malicious registry values to run the executables in %AppData% that encrypt files automatically when Windows starts. The usually targeted registry keys for this are the Run and RunOnce sub-keys in the Windows Registry Editor.

In addition to this, the Crypted virus may also perform a deletion of any backups and shadow copies of the infected computer.

Crypted Ransomware – Encryption Information

Regarding the encryption procedure of Crypted ransomware, it is widely believed this virus uses the RSA (Rivest Shamir Adleman) encryption algorithm with the strength of 1024 bits. This type of encoding procedure results in the generating of unique decryption keys for each encrypted file or set of files. The encryption can be configured to encrypt the whole file, but there are files with huge sizes, this is why it may be coded to encode a portion of the file, enough to make it no longer openable.

For the encryption, various types of files may be targeted, like documents, pictures, audio files, music and other data of importance. To sum it up, .crypted files could become most of the following file types:

.zip .rar .7z .tar .gz .xls .xlsx .doc .docx .pdf .rtf .ppt .pptx .sxi .odm .odt .mpp .ssh .pub .gpg .pgp .kdb .kdbx .als .aup .cpr .npr .cpp .bas .asm .cs .php .pas .vb .vcproj .vbproj .mdb .accdb .mdf .odb .wdb .csv .tsv .psd .eps .cdr .cpt .indd .dwg .max .skp .scad .cad .3ds .blend .lwo .lws .mb .slddrw .sldasm .sldprt .u3d .jpg .tiff .tif .raw .avi .mpg .mp4 .m4v .mpeg .mpe .wmf .wmv .veg .vdi .vmdk .vhd .dsk Source:Symantec

After the encryption process by the .crypted file virus has been completed, the encoded files appear like the following and cannot be opened:

Whatever the situation may be, paying the ransom is not advisable since the virus may be

Remove .Crypted Ransomware and Restore Infected Files

The removal of the ransomware is rather simple than complicated. Since it may have an active connection to several remote servers, we advise following the removal instructions below to break this connection and remove the malicious files and entries. This can happen by downloading an advanced anti-malware tool and scanning the computer in offline Safe Mode with no third-party applications running and no active connection.

If you want to decrypt your files, you are lucky, because this is one of the few ransomware variants that have a working decryptor. The credit for that goes to Emsisoft researchers who have developed Nemucod decrypter. To see how to work with the decryptor and revert your files, please check the instructions in this article after you perform the removal of this virus below.

1. Boot Your PC In Safe Mode to isolate and remove .Crypted Virus
2. Remove .Crypted Virus with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by .Crypted Virus in the future

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share