Remove Cryp1 (UltraCrypter) Ransom Virus and Get The .Cryp1 Files Back - How to, Technology and PC Security Forum |

Remove Cryp1 (UltraCrypter) Ransom Virus and Get The .Cryp1 Files Back

Update! Malware researchers from Kaspersky have updated their Rannoh Decryptor utility with decryption for the CryptXXX 3.0 ransomware family. Files should be fully decrypted with the help of that software. You can find its download page and instructions at: Kaspersky’s Rannoh Decryptor page.


A very dangerous ransomware virus has started to infect users all over the world. It is carrying the name Cryp1 and it is also known as the second version of CryptXXX 3.0 ransomware – another dangerous virus, that has passed through many improvements until it is perfected. The Cryp1 ransomware demands around 1.2 BTC (542 USD) to decrypt the encrypted files of users. What is interesting is that all that it requires for doing all of this damage is two small files. Malware researchers strongly advise users who have been infected with the virus to remove it using the instructions provided in this article.

Threat Summary

Short DescriptionA new and improved version of CryptXXX 3.0 Ransomware. Encrypts the user files, adding a .cryp1 file extension and asks for around 500 dollars ransom for the decryption process.
SymptomsFiles become corrupted and the wallpaper is changed to instructions on how to pay the ransom money and decrypt your files.
Distribution MethodAn exploit kit attack distributed in various forms.
Detection Tool See If Your System Has Been Affected by Cryp1


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Cryp1.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Crypt1 Ransomware Conduct Its Infection

To be successful in the infection of the users, the ransomware uses the so-called Exploit Kit attack. However, it does not use just any average attack. Cryp1’s exploit kit is updated to slip past the latest definitions and anti-malware mechanisms. It is also believed to use a very modern multi-stage infection process that does not limit itself to just one method of infection.

One variant used by the crooks is via a malicious Exploit server, which represents several infection scenarios, for example:


Cryp1 Ransomware Activity Stages

Once the exploit kit has infected users, it drops two files in the %Temp% folder of the user – its malicious executable and its file encrypter:

  • C:/Users/{Username}/AppData/Local/Temp/Low/FB73.tmp.dll – a file which performs the encryption of the files on the drive of the infected machine.
  • C:/Users/{Username}/AppData/Local/Temp/Low/Rundll32.exe – a file which modifies the registry editor, deletes backups and creates other files on the infected machine.

After these files are created and executed, the ransomware gets down to business. It begins to encrypt files that are associated with the following types of user interaction objects:

  • Videos.
  • Photos.
  • Music and other audio files.
  • Pictures.
  • Database files
  • Photoshop documents.
  • Microsoft Office documents.
  • SQLITE files.
  • Virtual Box Virtual Machine files.
  • Other files associated with programs that are often used by Windows users.

The Crypt1 virus is also programmed to modify the following registry entries to change the wallpaper of the user and to make its FB73.tmp.dll file encryptor run and encrypt every newly added file on Windows startup:

HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”rundll32.exe” = ” C:/Users/{USER’S PROFILE}/AppData/Local/Temp/”

After creating those registries, the wallpaper of the user changes immediately to the following picture:


The ransom demands from the wallpaper pictures are the following:

→ All your files are encrypted.
ID: {Unique Identification}
Download and install tor-browser
TorLink: http://eqyo4fbr5okzaysm(.)onion
Write down the information to notebook (exercise book) and reboot the computer.

After this, the user infected by Cryp1 is redirected to a payment website where there are additional instructions on how to pay the ransom money. This payment page may be on more than one languages:


Removal of Cryp1 Ransomware

To delete this ransom virus from your computer, we strongly advise you to follow the instructions that are mentioned below. In case you are having trouble finding the registry entries and the files created by the ransomware manually, we advise using the automatic removal option with will swiftly take care of the threat and make sure it does not spread to other computers in the network.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share