Decrypt .crypo Files Encrypted by RotorCrypt Ransomware

Decrypt .crypo Files Encrypted by RotorCrypt Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to help you by explaining what is the .crypo verson of RotorCrypt ransomware virus and how to decrypt files, encrypted with ! file extension for free.

A new version of the notorious RotorCrypt ransomware infection has been detected out in the wild. The ransomware virus aims to infect your computer and then encrypt the files in it, making them no longer able to be opened. The end goal of the virus is to set the .crypo file extension along with the e-mail e-mail for contact. This has been done with the purpose to get the victims to contact the cyber-crooks on their e-mail and get them to pay a hefty ransom fee in BitCoins in order to get the encrypted files decrypted and working once again. Luckily however, there is a decryption available for the .crypo family of ransomware viruses and you can recover your files for free, if you read this article carefully and follow the instructions within it.

Threat Summary

Name.crypo Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of the RotorCrypt ransomware virus family. Aims to encrypt the files on the infected computers and then ask victims to pay ransom to get them back.
SymptomsFiles are encrypted with an added ! file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .crypo Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .crypo Files Virus.

How Does RotorCrypt .crypo Infect

The infection process of this virus is rather simplistic. The cyber-criminals have managed to likely get their hands on a list of e-mails which are used by real people and these e-mail addresses are being spammed with malicious e-mail spam messages. Such e-mail spam messages often carry an e-mail file extension in them, from the likes of fake documents (invoices, receipts, etc.). Some e-mails may even contain web links that may lead the victim to a malicious JavaScript execution which leads to the infection.

In some occasions, malicious Microsoft Office documents are used with malicious macros embedded within them. Such e-mails often get the user to click on “Enable Content” or similar “Enable Editing” buttons on the document, which cause the infection and the following chain of activities to be triggered:

In addition to those, there may be more passive methods for infection via this ransomware virus. Such are often believed to be fake setups of programs, game patches, cracks, key generators or software license activators which may be uploaded on malicious websites all over the world.

.crypo Files Virus – Analysis and Background

The main payload of this ransomware infection has been reported( by malware researchers to be named with a random name and have the following parameters:

→ SHA-256: 4213288a599af1981743832866461d735f2b25d80869a9da5f75ad1357449cda
Size: 77.5 KB

Detected as the latest version of RotorCrypt ransomware, this malware has had quite some activity over time. When it infects a targeted computer, the .crypo virus begins a scan in order to establish whether or not the malware has been ran beforehand on the victim’s computer. If so, the virus may shut down.

Another check the virus performs is the OS version and if it is supported, it runs an obfuscated payload, which may consist of more than one files, that may be dropped in the following Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Temp%
  • %Common%

The main payload files htat have been detected so far in association with this ransomware virus have been reported by researchers to be located in various places on infected computers with different names, often random ones with uppercase and lowercase letters. Here are some of the malicious files, reported with associations to different variants of this ransomware virus:

→ %TEMP%\.exe
%LOCALAPPDATA%\Microsoft Help\DNALWmjW.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\jHlxJqfV.lnk

In addition to dropping the malicious files, this ransomware infection also aims to delete the shadow volume copies on the computers that have been infected by it. This is done by .crypo having to assume administrator privileges on the victim’s PC and run a script that execute shte vssadmin and bcedit commands in Windows Command Prompt in the background of the victim’s computer:

→ vssadmin.exe delete shadows /all /Quiet
bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {current} recoveryenabled no

RotorCrypt has had quite the variants over the past few years and is actually an updated variant of GomaSom ransomware. If we had to align them chronologically, here are all of the previous updated variants of the virus which were detected since the June 2015:

Variants from 2015:

Variants from 2016

Variants from 2017

!-=solve a
!==solve a

Variants from 2018

.crypo Files Virus Encryption Process

The encryption of this ransomware has not changed much since the first version appeared before. RotorCrypt still uses the RSA encryption algorithm in order to encode files on the infected computers. This cipher, known as Rivest-Shamir-Adleman generates a private and public keys which are unique and the files have bytes of them encrypted with the cipher, not the whole file. The files that are encrypted by this version of the ransomware may be of the following file types:

→ .1cd, .avi, .bak, .bmp, .cf, .cfu, .csv, .db, .dbf, .djvu, .doc, .docx, .dt, .elf, .epf, .erf, .exe, .flv, .geo, .gif, .grs, .jpeg, .jpg, .lgf, .lgp, .log, .mb, .mdb, .mdf, .mxl, .net, .odt, .pdf, .png, .pps, .ppt, .pptm, .pptx, .psd, .px, .rar, .raw, .st, .sql, .tif, .txt, .vob, .vrp, .xls, .xlsb, .xlsx, .xml, .zip

After the encryption has complete, the files assume the following appearance:

Remove RotorCrypt Ransomware and Decrypt .crypo Files

In order to provide you with the most efficient way to remove this malware and decrypt your files, we have decided to separate the removal instructions in two phases, phase 1 being the removal and 2 being the decryption instructions. In case you have already gotten rid of this malware you can go right ahead by jumping to the decryption instructions for your files.

Phase 1: Remove RotorCrypt

In order to fully erase RotorCrypt from your computer system, we have prepared manual and removal instructions which you can follow below. In the even that you are experiencing difficulties in manual removal, experts often advise to perform the removal automatically, preferably by downloading an advanced anti-malware software, which will make sure this malware is fully gone from your system and it remains protected against future infections as well.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share