.Crypton File Virus (Gryphon) – Remove and Restore Files (Update 2017)

.Crypton File Virus (Gryphon Ransomware) – Remove and Restore Files

This article aims to show you how to remove the .crypton Gryphon Ransomware virus variant from your computer and how to restore files encrypted by it.

!## DECRYPT FILES ##!.txt and .crypton encrypted files are the primary signs of presence of the next variant of Gryphon ransomware virus on your computer. The ransomware infection aims to use an advanced encryption algorithm to render the documents, audio files, videos plus other important objects on your computer no longer to be opened. The virus then adds the [gladius_rectus@aol.com] e-mail and the .crypton extension as a file suffix to the encoded object. If your computer has been infected by this virus, do not obey the demands of the ransom note to pay a ransom to get the files back and read this article to learn how to remove .crypton file ransomware and restore encrypted files.

Threat Summary

NameGryphon Ransomware
Short DescriptionNew version of Gryphon Ransomware. Encrypts files on your computer after which gives 48 hours to the victim of the virus to pay a hefty ransom.
SymptomsYour valuable files become inaccessible and are renamed with the extension .crypton. For their decryption a ransom note appears on the PC screen, named !## DECRYPT FILES ##!.txt and demands a ransom payment.
Distribution MethodSpam Emails, Email Attachments, Fake Setups
Detection Tool See If Your System Has Been Affected by Gryphon Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Gryphon Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .crypton Gryphon Ransomware Spread

Similar to the previous version of this ransomware virus, using the .gryphon file extension, the newer .crypton variant may spread in a multitude of ways, the primary of which is by e-mail. The way the scheme works is that you may receive a message with a blank content. The messages that were reported to carry the infection file of .crypton Gryphon variant have .zip archives in which a malicous .JS (JavaScript) file is used for the infection process. The .zip files have the following name:

→ EMAIL_{Unique Number Here}_{Recipient Info Here}.zip

Once the victim extracts the .js file it will appear with a random name. As soon as it has been activated, the .JS file begins to connect to a third-party host with the following IP address:

→ via port 80
Domain name: scenetavern(dot)win or hallvilla(dot)win

After the connection has been established, the malware uses port 80 to download the malicious payload on the infected computer. The payload may consist of multiple malicious files located in the following Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Temp%

Gryphon Ransomware (.crypton) – Analysis

As soon as the malicious files of this variant of Gryphon ransomware have been dropped on your computer, they may trigger a temporary system freeze, during which the Gryphon ransomware virus obtains administrative permissions.

Initially, the Grypon Ransomware .crypton variant may attack the Windows Registry Editor. In it, the virus may create a Windows Registry value string in the following registry sub-key:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, similar to the .gryphon file variant, the ransomware virus has the one and only purpose of making it’s presence known. This is why it drops a ransom note file, named !## DECRYPT FILES ##!.txt, which has the following content:

Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – “GRYPHON DECRYPTER”
Using another tools could corrupt your files, in case of using third party
software we dont give guarantees that full recovery is possible so use it on
your own risk.
If you want to restore files, write us to the e-mail: gladius_rectus@aol.com
In subject line write “encryption” and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: gladius_rectus@aol.com
Your personal identification number:

In addition to those modifications, the .crypton Gryphon Ransomware variant may also delete the shadow volume copies of the infected machine by executing the following command in the background:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this, the malware may temporary freeze your computer after which begin to encrypt files.

Gryphon Ransomware – Encryption Process

Regarding the encryption of file, Gryphon Ransomware does not mess around. The virus aims to append AES encryption algorithm on multiple file types, that are reported to possibly be the following:

→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

If the ransomware detects that some of it’s pre-selected file types are present on your computer, the virus may begin to replace not the whole file, but only portion of the file it targets. This portion is usually a segment of data in the file header or blocks of data within the file itself. After the encryption process is completed, the files begin to appear with the .crypton file extension, which can make the virus easily confusable with Crypton ransomware, which it has nothing to do with. The files assume the following appearance after your computer has been attacked by the .crypton variant of Gryphon Ransomware:

Remove Gryphon Ransomware and Restore .crypton Encrypted Files

Before beginning the removal process of this variant of Gryphon ransomware, we urge you to back your files up either on a flash drive or other external drive or online. Then, you can safely proceed with the removal process. Even though you can follow the manual instructions below, experts strongly advise to automatically remove Gryphon Ransomware with a malware-specific removal software. This will safely remove all the objects and revert the settings changed by this malware on your computer system.

For the recovery of your files, we have suggested multiple methods by which you could try and recover as many files as you can without having to pay the ransom. They are located in step “2. Restore files encrypted by Gryphon” below. The methods may not be 100% guarantee you will be able to recover your


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share