Decrypt Files Encrypted by CryptoShield Ransomware (Updated CryptoMix) - How to, Technology and PC Security Forum |

Decrypt Files Encrypted by CryptoShield Ransomware (Updated CryptoMix)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article aims to show you how to delete CryptoShield ransomware from your computer and hopefully decrypt .cryptoshield files.

Thankfully for some victims, a decryptor has been released by Avast malware research experts that will decrypt files encrypted by CryptoShield ransomware. The virus came out earlier this year, using the .cryptoshield file extension and CryptoWall ransomware’s ransom note. It is reportedly using AES cipher that generate unique decryption keys which cyber-criminals use to extort victims of this virus. The bad news in this case is that according to expert Jakub Kroustek the decryption tool prepared by Ladislav Zezula may work only for some instances of the ransomware. Either way, we have decided to assist with creating instructions on how to use the Avast decryption tool and try to decode the files.

CryptoShield Ransomware – More Information

The CryptoShield virus was first discovered in a 1.0 version in the end of January, 2017. Since then, this virus has evolved in two other versions – 1.1 and 2.0.

To infect unsuspecting users, all the versions have begun to utilize the latest Rig Exploit Kit version 4.0 which is also used with other well-known ransomware viruses:

The exploit kit was combined with a malicious executable, which may be of the following executable file types:

→ ‘sys’,’shs’,’wmf’,’chm’,’wmf’,’ozd’,’ocx’,’aru’,’xtbl’,’bin’,’exe1′,’386′,’dev’,’xnxx’,’vexe’,’tps’,’pgm’,’php3′,’hlp’,’vxd’,’buk’,’dxz’,’rsc_tmp’,’sop’,’wlpginstall’,’boo’,’bkd’,’tsa’,’cla’,’cih’,’kcd’,’s7p’,’smm’,’osa’,’exe_renamed’,’smtp’,’dom’,’vbx’,’hlw’,’dyz’,’rhk’,’fag’,’qrn’,’fnr’,’dlb’,’mfu’,’xir’,’lik’,’ctbl’,’dyv’,’bll’,’bxz’,’mjz’,’mjg’,’dli’,’fjl’,’ska’,’dllx’,’tti’,’upa’,’txs’,’wsh’,’uzy’,’cfxxe’,’xdu’,’bup’,’spam’,’nls’,’iws’,’ezt’,’oar’,’.9′,’blf’,’cxq’,’cxq’,’cc’,’dbd’,’xlv’,’rna’,’tko’,’delf’,’ceo’,’bhx’,’atm’,’lkh’,’vzr’,’ce0′,’bps’,’pid’,’hsq’,’zvz’,’bmw’,’fuj’,’ssy’,’hts’,’qit’,’aepl’,’dx’,’lok’,’plc’,’mcq’,’cyw’,’let’,’bqf’,’iva’,’xnt’,’pr’,’lpaq5′,’capxml’

After infection, CryptoShield drops multiple .exe and .tmp.exe files on the compromised computers by downloading them from remote hosts, such as

Cryptoshield also uses commands in Windows command prompt to delete shadow volume copies and disable the recovery of Windows.

Thankfully, some of the victims of this ransomware infection do not have to pay the ransom, if they haven’t already deleted the encrypted files.

CryptoShield Ransomware – Decryption Process

Before any decryption process by this virus begins, recommendations are to use an advanced anti-malware tool to remove the infection and then to back-up the encrypted files by creating several copies of them on different removable drives or in the cloud.

Then, we advise you to follow these steps:

Step #1: Download “CryptoMix Fix” tool from Avast’s website. Link to the download page, you can locate below:

Make sure to save the file somewhere where you can easily find it:

Step #2: Run the program and click on the “Next” button.

Step #3: Choose the drive which you want to be scanned for encrypted files and click on “Next” once more. You can also add a folder that has important files, by clicking on the “Add Folder” button on the bottom-right:

Step #4: Find an original file and it’s encrypted analogue. If you struggle finding an original file, please check the default Windows folders of a non-infected PC with the same version of Windows as yours:

→ For newer Windows (8, 8.1, 10):
For Windows 7 and earlier:

Step #5: Upload the files in the blank fields of the next step of the Avast CryptoMix Fix decryptor:

Step #6: Paste the password from your version of CryptoMix in the next field in case you know it:

And now all that is left is to run the decryptor and it will begin to do it’s magic.

CryptoShield Decryption – The Bottom Line

As a conclusion, it is vital to know that if you have decrypted your files successfully, you are in great luck, because there are many ransomware victims who still haven’t. This is why we at SensorsTechForum are committed to educating users how to avoid such infections before they even happen. To learn how to prevent ransomware viruses and other malware infections from infecting your computer via e-mail, please read the related article below:


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share