This article aims to show you how to remove the .crypton Gryphon Ransomware virus variant from your computer and how to restore files encrypted by it.
!## DECRYPT FILES ##!.txt and .crypton encrypted files are the primary signs of presence of the next variant of Gryphon ransomware virus on your computer. The ransomware infection aims to use an advanced encryption algorithm to render the documents, audio files, videos plus other important objects on your computer no longer to be opened. The virus then adds the [[email protected]] e-mail and the .crypton extension as a file suffix to the encoded object. If your computer has been infected by this virus, do not obey the demands of the ransom note to pay a ransom to get the files back and read this article to learn how to remove .crypton file ransomware and restore encrypted files.
Threat Summary
| Name | Gryphon Ransomware |
| Type | Ransomware |
| Short Description | New version of Gryphon Ransomware. Encrypts files on your computer after which gives 48 hours to the victim of the virus to pay a hefty ransom. |
| Symptoms | Your valuable files become inaccessible and are renamed with the extension .crypton. For their decryption a ransom note appears on the PC screen, named !## DECRYPT FILES ##!.txt and demands a ransom payment. |
| Distribution Method | Spam Emails, Email Attachments, Fake Setups |
| Detection Tool | See If Your System Has Been Affected by Gryphon Ransomware Download Malware Removal Tool | User Experience | Join Our Forum to Discuss Gryphon Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
How Does .crypton Gryphon Ransomware Spread
Similar to the previous version of this ransomware virus, using the .gryphon file extension, the newer .crypton variant may spread in a multitude of ways, the primary of which is by e-mail. The way the scheme works is that you may receive a message with a blank content. The messages that were reported to carry the infection file of .crypton Gryphon variant have .zip archives in which a malicous .JS (JavaScript) file is used for the infection process. The .zip files have the following name:
→ EMAIL_{Unique Number Here}_{Recipient Info Here}.zip
Once the victim extracts the .js file it will appear with a random name. As soon as it has been activated, the .JS file begins to connect to a third-party host with the following IP address:
→ 119.28.78.131 via port 80
Domain name: scenetavern(dot)win or hallvilla(dot)win
After the connection has been established, the malware uses port 80 to download the malicious payload on the infected computer. The payload may consist of multiple malicious files located in the following Windows folders:
- %AppData%
- %Local%
- %LocalLow%
- %Temp%
Gryphon Ransomware (.crypton) – Analysis
As soon as the malicious files of this variant of Gryphon ransomware have been dropped on your computer, they may trigger a temporary system freeze, during which the Gryphon ransomware virus obtains administrative permissions.
Initially, the Grypon Ransomware .crypton variant may attack the Windows Registry Editor. In it, the virus may create a Windows Registry value string in the following registry sub-key:
→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In addition to this, similar to the .gryphon file variant, the ransomware virus has the one and only purpose of making it’s presence known. This is why it drops a ransom note file, named !## DECRYPT FILES ##!.txt, which has the following content:
GRYPHON RANSOMWARE
Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – “GRYPHON DECRYPTER”
Using another tools could corrupt your files, in case of using third party
software we dont give guarantees that full recovery is possible so use it on
your own risk.
If you want to restore files, write us to the e-mail: [email protected]
In subject line write “encryption” and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: [email protected]
Your personal identification number:
In addition to those modifications, the .crypton Gryphon Ransomware variant may also delete the shadow volume copies of the infected machine by executing the following command in the background:
→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
In addition to this, the malware may temporary freeze your computer after which begin to encrypt files.
Gryphon Ransomware – Encryption Process
Regarding the encryption of file, Gryphon Ransomware does not mess around. The virus aims to append AES encryption algorithm on multiple file types, that are reported to possibly be the following:
→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip
If the ransomware detects that some of it’s pre-selected file types are present on your computer, the virus may begin to replace not the whole file, but only portion of the file it targets. This portion is usually a segment of data in the file header or blocks of data within the file itself. After the encryption process is completed, the files begin to appear with the .crypton file extension, which can make the virus easily confusable with Crypton ransomware, which it has nothing to do with. The files assume the following appearance after your computer has been attacked by the .crypton variant of Gryphon Ransomware:
Remove Gryphon Ransomware and Restore .crypton Encrypted Files
Before beginning the removal process of this variant of Gryphon ransomware, we urge you to back your files up either on a flash drive or other external drive or online. Then, you can safely proceed with the removal process. Even though you can follow the manual instructions below, experts strongly advise to automatically remove Gryphon Ransomware with a malware-specific removal software. This will safely remove all the objects and revert the settings changed by this malware on your computer system.
For the recovery of your files, we have suggested multiple methods by which you could try and recover as many files as you can without having to pay the ransom. They are located in step “2. Restore files encrypted by Gryphon” below. The methods may not be 100% guarantee you will be able to recover your
