How to Decrypt Files For Free (CryptConsole Virus)

How to Decrypt [email protected] Files For Free (CryptConsole Virus)

This article has been created to help you remove the [email protected] variant of CryptConsole ransomware and show you how you can decrypt files that have been encrypted by this ransomware on your computer.

A new variant of the CryptConsole ransomware virus has been detected by cybersecurity researchers. The malawre now uses the e-mail [email protected] as a name of the files, that are encrypted by it, however it still drops the same README.txt ransom note on the computers of victims to convince them into paying ransom to get the encrypted files to work again. Unfortunately for the cyber-criminals, the ransomware is now decryptable and you can recover your files for free if you keep reading this article.

Threat Summary

Name[email protected] Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the victim’s computer and then set a random file name, which includes the e-mail [email protected]
SymptomsFiles are no longer openable and are renamed plus contain the [email protected] file extension and a README.txt ransom note, asking victims to pay hefty ransom in BitCoin to get the files decrypted and working.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by [email protected] Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss [email protected] Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Files Virus –How Does It Infect

This variant of CryptConsole ransomware may use more than one methods to find itself on the computers of victims. The main method which is used by most CryptConsole ransomware variants, including [email protected] may be malicious e-mail spam messages, also known as malspam. Such e-mails aim to convince victims into believing that they come from legitimate people or companies and they aim to get victims to download a malicious attachments, posing as receipts, invoices or other urgent documents. The crooks often use deceptive tactics to convince the victims:

In addition to via e-mail, the criminals may take advantage of PUPs (potentially unwanted programs), like adware or browser hijackers, that aim to cause a browser redirect to a malicious URL, causing the infection via a JavaScript – induced drive-by download.

Besides these, there are passive methods that are also often used by the cyber-criminals who are behind this virus and those methods usually include uploading the infection file on software websites. There, it may pose as legitimate software, such as:

  • Setup of a program
  • Activator of software.
  • Keygen for activation.
  • Cracks for software or games.
  • Patches.
  • Portable apps or versions of such.

[email protected] – Activity

The [email protected] files ransomware is a variant of the CryptConsole viruses, which basically is a ransomware that is available for purchase or download in the deep web marketplace. From there, anyone who downloads the malware may modify it according to their needs. This is known as ransomware as a service (RaaS) and it is done to make money for the malware author of this virus, whether it is done by selling the malware or simply taking percentage of BitCoins paid from ransom.

The main files that are associated with the [email protected], may be the following payload files, detected in other variants as well, but under different file names:

  • smss.exe
  • svchost.exe
  • csrss.exe
  • lsass.exe

After the [email protected] virus has dropped the above mentioned payload files, the malware may perform privilege elevation techniques that allow it to create mutexes, modify system files of Windows and last but not least, set the encryption module of the [email protected] virus to run automatically when your boot Windows. This is done by adding a registry value in the following Windows registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Furthermore, the ransomware may also focus on deleting the backed up files on your computers. These are known as shadow volume copies and they are mirror files that can be recovered easily with Windows System Recovery. To delete those, the [email protected] may execute a script that may enter the following commands to disable Windows Recovery and delete those shadow volume copies:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

After doing so, the ransomware may also show it’s README.txt ransom note to the victim, which ususally asks to contact the crooks via their e-mail and negotiate the future of your files, which is not advisable, because the CrytptConsole family of viruses are all decryptable.

[email protected] Ransomware -Encryption

In order to make it possible for the files on your computer to no longer be able to be opened, the [email protected] virus scans for them after which starts to encrypt them based on a pre-set list of file extensions, which often consists of files that are regularly used, like:


After this variant of CryptConsole ransomware has been engaged into usage, and encrypts your files, they no longer look the same and are completely renamed with the e-mail [email protected] at the start of their file names. The files may start to look like the image below shows:

How to Remove [email protected] Virus and Decrypt Files Without Paying

If you want to get rid of the [email protected] version of CryptConsole ransomware, we urge you to follow the removal instructions below. If manual removal does not seem to help, be advised that according to security analysts the best method to remove this virus is automatically with the aid of an advanced anti-malware software. Such tool will effectively scan your computer for malicious files and make sure that it is completely protected from those by removing them and setting up real-time protection in the future.

Furthermore, after removing this variant of CryptConsole ransomware, you can follow the “Decryption Instructions for CryptConsole Ransomware” underneath as they have information how to use the CryptConsole Decrypter by Michael Gillespie (demonslay335) to restore your files for free.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share