CryPy Virus Remove and Restore .Cry Files - How to, Technology and PC Security Forum |

CryPy Virus Remove and Restore .Cry Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

crypy-ransomware-sensorstechforumA nasty virus, called CryPy, reported to use the Python language for it’s script has been detected by malware researchers, using AES-256 cipher to encode files. The encryptes files by this virus have the .cry file extension and in addition to that, the ransomware also changes the file names with random numbers, beginning with the CRY initials. After it’s encryption process is complete, CryPy malware drops a ransom note, called README_FOR_DECRYPT.txt. In this note, the virus also notifies that it will randomly delete a file every 6 hours if a ransom payoff to the cyber-criminals has not been made to restore the files. Anyone whose computer has been attacked by this devastating ransomware virus should not pay any ransom money and immediately remove the CryPy virus using the instructions in this article to avoid further file deletion. Furthermore, instead of paying the ransom, you can counter attack it and try to restore your files using alternative methods such as the ones suggested below.

Follow this article for more information to be updated soon.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key for each file available to the cyber-criminals.
SymptomsCryPy Ransomware leaves a “README_FOR_DECRYPT.txt” ransom note and may delete random files from your computer if the terms in the note are not met. Changed file names and the various file extensions may be used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by CryPy


Malware Removal Tool

User ExperienceJoin our forum to Discuss CryPy Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryPy Ransomware – How Does It Perform an Infection

This devastating threat is strongly believed to use a combination of tools that conceal it from any firewall and most conventional antivirus programs on a victim computer. One of those tools may be a malicious e-mail attachment tricking the user into opening it. Such attachments may be fake .PDF or Microsoft Office documents that when opened can cause the infection. The documents seem to be from a legitimate sender, and the e-mail aims to convince the user that they are of an important nature.

But attachments may not be the only method for spreading malicious files. Malicious web links posted on social media and other websites are also reported to cause infections by a drive-by-download after a malicious browser redirect. Such malicious web sites may be presented to the user in the form of an advertisement(malvertising) that is displayed as a pop-up or a direct browser redirect as a result of adware (PUP) installed on the victim’s computer.

CryPy Ransomware In Detail

When CryPy ransomware Is activated on the computer of it’s victim, the ransomware virus is believed to perform several different activities, to collect information about the compromised system and send it to the C&C servers of the virus.

Then the CryPy virus may drop it’s payload by contacting its server and downloading it from there. The payload may be one or more files of the following file types:

→ .exe, .tmp, .bat, .cmd, .dll, .vbs, etc.

After the payload of CryPy has been dropped, the virus may begin to modify numerous of settings, such as modify the Windows Registry Editor so that the malicious executables run on system startup. The usually targeted registry keys for this are:


After this has been conducted, the Virus may begin to encrypt the files on the compromised computer. It may scan for wide variety of file extensions to encrypt but the CryPy ransomware is mainly programmed to scan for and encrypt often used types of files, such as:

Image files.
Audio files.
All types of documents opened with Microsoft Office, Adobe, Photoshop and other software.
Database files.

As soon as the virus detects that a file has been found, it performs the following activities:

1)Encrypts the file using a strong AES-256 encryption algorithm.
2)Generates a unique decryption key.
3)Sends the decryption key to the CryPy ransomware’s command and control server.

The specific thing about this virus is that it connects to the sever every time one file is encrypted, generates a unique key for that file and sends it to the cyber-crooks. This means that if you have 100 files, it will contact the server 100 times.

The encrypted files by CryPy ransomware are enciphered with a very strong AES (Advanced Encryption Standard) algorithm. They can no longer be opened by any program because their code structure has changed. In addition to this, the virus not only adds it’s distinctive .cry file extension, but it also changes the file names, for example:


This is very similar to other ransomware viruses using the same extensions, such as the Central Security Treatment Organization Ransomware.

After enciphering the files of the infected computer, CryPy ransomware adds a Halloween style picture on the victim’s computer and adds a “README_FOR_DECRYPT.txt” ransom note which it automatically opens. The ransom note has the following message to the victims CryPy:

All your files are encrypted with strong ciphers.
Decrypting of your files is only possible with the decryption program, which is on our secret server.
Note that every 6 hours; a random file is permanently deleted. The faster you are, the fewer files you will lose.
Also, in 96 hours, the key will be permanently deleted, and there will be no way of recovering your files.
To receive your decryption program contact one of the emails:
Just inform your identification ID and we will give you next instruction.
Your personal identification ID: CRY{Unique Identification Number}”

CryPy Ransomware – Summary, Removal, and File Restoration

In case you want to restore your files, first, it is important to remove the CryPy virus from your computer. To do this, it is strongly advisable to follow the step-by-step instructions below. They are methodologically organized to assist you in removing CryPy ransomware completely from your computer. Furthermore, malware researchers also recommend using an advanced anti-malware software that will assist you into swiftly and automatically erasing all files associated with this malware.

If you are looking for methods to restore .cry encrypted files, at this point, there is no decryptor available for free. However, you can try the alternative methods illustrated in step “3. Restore files encrypted by CryPy” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share