A ransomware infection, reported as a new version of Nemucod Ransomware that is spread via the same malicious e-mail spam used to spread Locky ransomware has appeared, infecting different Windows OS machines. Dubbed Nemucod or .Crypted virus, the ransomware infection may use an encryption algorithm to make the files on the infected computer no longer openable. The virus drops a DECRYPT.txt file in which it asks the victims to pay the sum of 0.23 BTC to get the files decrypted again. In case you have become a victim of the Crypted ransomware, advices are to read the following article carefully.
|Short Description||The user may witness a file “DECRYPT.txt” on his desktop and the ransom message to open in a text document every time Windows starts.|
|Symptoms||The user may witness ransom notes and “instructions” linking to a web page and a decryptor. The .crypted file extension is used.|
|Distribution Method||Via the notorious Kovter malicious e-mail spam carrying .zip email attachments.|
|Detection Tool|| See If Your System Has Been Affected by .Crypted Virus |
Malware Removal Tool
|User Experience||Join our forum to Discuss .Crypted Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.Crypted File Virus – Infection Process
The infection of this virus is conducted via malicious e-mail spam, also known as malspam. Malware researcher at malware-traffic-analysis.net has reported that multiple malicious files are spread via e-mails that pretend to be customer service from post services. One particular e-mail was a fake UPS service mail with the following content:
Your item has arrived at the UPS Post Office at March 12, but the courirer was unable to deliver parcel to you!
Please check the attachment for complete details!
UPS Parcels Delivery Clerk.
The virus uses the port 80 for all communication of those domains.
After an infection is already conducted, the Crypted virus drops the following files on the infected computer.
- A .bat file with a random name, for example f332.bat, located in a random named folder in the %Local% directory.
- Another randomly named file in the same folder with unknown format.
- A .doc file in the %Temp% folder, usually named with one latin letter.
- A one letter .txt file in the same %Temp% folder.
- Two more executable files in %Temp%, named with letter and number, for example b1.exe and b2.exe.
.Crypted File Ransomware – Post-Infection Activity
Once the Crypted ransomware causes an infection, it does not change the wallpaper, but rather drops and opens a .txt file, named DECRYPT.txt. This file is the virus ransom note and it aims to notify the user of the demands of the cyber-criminals who have infected the computer. The content of DECRYPT.txt is the following:
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.21753 BTC (bitcoins).
Please follow this manual:
1. Create Bitcoin wallet here:
2. Buy 0.21753 BTC with cash, using search here:
3. Send 0.21753 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
– If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
– Nobody can help you except us.
– It`s useless to reinstall Windows, update antivirus software, etc.
– Your files can be decrypted only after you make payment.
– You can find this manual on your desktop (DECRYPT.txt).”
When one of the websites are visited, the page does not let the user, if the ransom is not paid, meaning that the cyber-criminals may use IP address whitelist and allow only the IP addresses of victims that have paid the ransom.
Among these activities, the Crypted ransomware infection may also perform other types of infection activities, like create malicious registry values to run the executables in %AppData% that encrypt files automatically when Windows starts. The usually targeted registry keys for this are the Run and RunOnce sub-keys in the Windows Registry Editor.
In addition to this, the Crypted virus may also perform a deletion of any backups and shadow copies of the infected computer.
Crypted Ransomware – Encryption Information
Regarding the encryption procedure of Crypted ransomware, it is widely believed this virus uses the RSA (Rivest Shamir Adleman) encryption algorithm with the strength of 1024 bits. This type of encoding procedure results in the generating of unique decryption keys for each encrypted file or set of files. The encryption can be configured to encrypt the whole file, but there are files with huge sizes, this is why it may be coded to encode a portion of the file, enough to make it no longer openable.
For the encryption, various types of files may be targeted, like documents, pictures, audio files, music and other data of importance. To sum it up, .crypted files could become most of the following file types:
After the encryption process by the .crypted file virus has been completed, the encoded files appear like the following and cannot be opened:
Whatever the situation may be, paying the ransom is not advisable since the virus may be
Remove .Crypted Ransomware and Restore Infected Files
The removal of the ransomware is rather simple than complicated. Since it may have an active connection to several remote servers, we advise following the removal instructions below to break this connection and remove the malicious files and entries. This can happen by downloading an advanced anti-malware tool and scanning the computer in offline Safe Mode with no third-party applications running and no active connection.
If you want to decrypt your files, you are lucky, because this is one of the few ransomware variants that have a working decryptor. The credit for that goes to Emsisoft researchers who have developed Nemucod decrypter. To see how to work with the decryptor and revert your files, please check the instructions in this article after you perform the removal of this virus below.