Decrypt .crypo Files Encrypted by RotorCrypt Ransomware
THREAT REMOVAL

Decrypt .crypo Files Encrypted by RotorCrypt Ransomware

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .crypo Files Virus and other threats.
Threats such as .crypo Files Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created in order to help you by explaining what is the .crypo verson of RotorCrypt ransomware virus and how to decrypt files, encrypted with [email protected] file extension for free.

A new version of the notorious RotorCrypt ransomware infection has been detected out in the wild. The ransomware virus aims to infect your computer and then encrypt the files in it, making them no longer able to be opened. The end goal of the virus is to set the .crypo file extension along with the e-mail [email protected] e-mail for contact. This has been done with the purpose to get the victims to contact the cyber-crooks on their e-mail and get them to pay a hefty ransom fee in BitCoins in order to get the encrypted files decrypted and working once again. Luckily however, there is a decryption available for the .crypo family of ransomware viruses and you can recover your files for free, if you read this article carefully and follow the instructions within it.

Threat Summary

Name.crypo Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of the RotorCrypt ransomware virus family. Aims to encrypt the files on the infected computers and then ask victims to pay ransom to get them back.
SymptomsFiles are encrypted with an added [email protected] file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .crypo Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .crypo Files Virus.

How Does RotorCrypt .crypo Infect

The infection process of this virus is rather simplistic. The cyber-criminals have managed to likely get their hands on a list of e-mails which are used by real people and these e-mail addresses are being spammed with malicious e-mail spam messages. Such e-mail spam messages often carry an e-mail file extension in them, from the likes of fake documents (invoices, receipts, etc.). Some e-mails may even contain web links that may lead the victim to a malicious JavaScript execution which leads to the infection.

In some occasions, malicious Microsoft Office documents are used with malicious macros embedded within them. Such e-mails often get the user to click on “Enable Content” or similar “Enable Editing” buttons on the document, which cause the infection and the following chain of activities to be triggered:

In addition to those, there may be more passive methods for infection via this ransomware virus. Such are often believed to be fake setups of programs, game patches, cracks, key generators or software license activators which may be uploaded on malicious websites all over the world.

.crypo Files Virus – Analysis and Background

The main payload of this ransomware infection has been reported(https://www.virustotal.com/#/file/4213288a599af1981743832866461d735f2b25d80869a9da5f75ad1357449cda/) by malware researchers to be named with a random name and have the following parameters:

→ SHA-256: 4213288a599af1981743832866461d735f2b25d80869a9da5f75ad1357449cda
Name: SJGZYXKH.EXE
Size: 77.5 KB

Detected as the latest version of RotorCrypt ransomware, this malware has had quite some activity over time. When it infects a targeted computer, the .crypo virus begins a scan in order to establish whether or not the malware has been ran beforehand on the victim’s computer. If so, the virus may shut down.

Another check the virus performs is the OS version and if it is supported, it runs an obfuscated payload, which may consist of more than one files, that may be dropped in the following Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Temp%
  • %Common%

The main payload files htat have been detected so far in association with this ransomware virus have been reported by researchers to be located in various places on infected computers with different names, often random ones with uppercase and lowercase letters. Here are some of the malicious files, reported with associations to different variants of this ransomware virus:

→ %TEMP%\.exe
C:\Users\User_name\AppData\local\.exe
C:\Users\User_name\Desktop\.exe
C:\GWWABPFL_Unpack.EXE
%LOCALAPPDATA%\Microsoft Help\DNALWmjW.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\jHlxJqfV.lnk

In addition to dropping the malicious files, this ransomware infection also aims to delete the shadow volume copies on the computers that have been infected by it. This is done by .crypo having to assume administrator privileges on the victim’s PC and run a script that execute shte vssadmin and bcedit commands in Windows Command Prompt in the background of the victim’s computer:

→ vssadmin.exe delete shadows /all /Quiet
bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {current} recoveryenabled no

RotorCrypt has had quite the variants over the past few years and is actually an updated variant of GomaSom ransomware. If we had to align them chronologically, here are all of the previous updated variants of the virus which were detected since the June 2015:

Variants from 2015:
[email protected]>
[email protected]
[email protected]>
[email protected]=–.crypt>
[email protected]==.crypt>
[email protected]_.crypt
[email protected]_.crypt>
[email protected]___.crypt>
[email protected]______.crypt
[email protected]______.crypt
[email protected]____.crypt
[email protected]_______.crypt
[email protected]
[email protected]____.tar
[email protected]____.tar

Variants from 2016
[email protected]____.tar
[email protected]____.tar
[email protected]____.c300
[email protected]_____.GRANIT

Variants from 2017

[email protected]___.GRANIT
[email protected]
[email protected]____.granit
[email protected]______.OTR
[email protected]________.pgp
[email protected]______.SPG
[email protected]_____.rar
[email protected]____.ANTIDOT
!-=solve a [email protected]=-.PRIVAT66
!==solve a [email protected]===.SENRUS17
[email protected]______.biz
[email protected]________.rar
[email protected]_______.PGP
[email protected]__________.PGP

Variants from 2018
!==SOLUTION OF THE [email protected]==.Black_OFFserve!
[email protected]

.crypo Files Virus Encryption Process

The encryption of this ransomware has not changed much since the first version appeared before. RotorCrypt still uses the RSA encryption algorithm in order to encode files on the infected computers. This cipher, known as Rivest-Shamir-Adleman generates a private and public keys which are unique and the files have bytes of them encrypted with the cipher, not the whole file. The files that are encrypted by this version of the ransomware may be of the following file types:

→ .1cd, .avi, .bak, .bmp, .cf, .cfu, .csv, .db, .dbf, .djvu, .doc, .docx, .dt, .elf, .epf, .erf, .exe, .flv, .geo, .gif, .grs, .jpeg, .jpg, .lgf, .lgp, .log, .mb, .mdb, .mdf, .mxl, .net, .odt, .pdf, .png, .pps, .ppt, .pptm, .pptx, .psd, .px, .rar, .raw, .st, .sql, .tif, .txt, .vob, .vrp, .xls, .xlsb, .xlsx, .xml, .zip

After the encryption has complete, the files assume the following appearance:

Remove RotorCrypt Ransomware and Decrypt .crypo Files

In order to provide you with the most efficient way to remove this malware and decrypt your files, we have decided to separate the removal instructions in two phases, phase 1 being the removal and 2 being the decryption instructions. In case you have already gotten rid of this malware you can go right ahead by jumping to the decryption instructions for your files.

Phase 1: Remove RotorCrypt

In order to fully erase RotorCrypt from your computer system, we have prepared manual and removal instructions which you can follow below. In the even that you are experiencing difficulties in manual removal, experts often advise to perform the removal automatically, preferably by downloading an advanced anti-malware software, which will make sure this malware is fully gone from your system and it remains protected against future infections as well.

Note! Your computer system may be affected by .crypo Files Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .crypo Files Virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .crypo Files Virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .crypo Files Virus files and objects
2. Find files created by .crypo Files Virus on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .crypo Files Virus

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...