.EMPTY Files Virus – How to Remove and Decrypt Files for Free

.EMPTY Files Virus – How to Remove and Decrypt Files for Free

This article aims to provide instructions and information on how to remove .EMPTY file ransomware virus and how to restore files that have been encrypted by it.

The CryptoMix family of ransomware viruses has received new update and this time it uses the .EMPTY file extension. The ransomware aims to encrypt each important file on your computer leaving behind a ransom note. The note demands to contact the cybercriminals on one of three different e-mails provided and eventually receive further instructions on how to pay ransom In return of the encrypted file.

Threat Summary

Name.EMPTY File Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer and then demands victims to pay a hefty ransom fee in order to decrypt them. Decryptable for free.
SymptomsFiles are encrypted with the added .EMTPY file extension as the picture above displays. Users are asked to contact the cyber-criminals via e-mail.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .EMPTY File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .EMPTY File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.EMPTY Files Virus – How Does It Spread

For this virus to be widespread it may us various different methods, the main of which may be e-mail spam. The e-mail messages that may spam the .EMPTY ransomware virus may contain convincing statements whose end goal is to get the victim of the ransomware virus to open the malicious infection file, like the example statement below:

  • Financial Activity Statement Keep track of your account with your latest Online Financial Statement from NatWest Bank.
  • Please download and view Microsoft Word attachment.
  • So check out your statement right away, or at your earliest convenience.
  • Thank you for managing your account online. Sincerely, NatWest Bank.

Besides an infected Microsoft Word document that may contain malicious macros, the e-mails may also carry other type of malicious executables, one of which has been reported on VirusTotal.com to be the following:

.EMPTY File Virus – More Information

Once the victim becomes infected with the .EMPTY variant of CryptoMix, the virus may initially drop the malicious files on the user’s computer. The files may exist under different names and be located in the commonly targeted Windows folders below:

After the files of .EMPTY ransomware are dropped on the user’s computer, the malware may begin it’s malicious activity. It executes the payload files which run in the background as processes. Those files are obfuscated so that any security software running on the computer fails to detect them. They contain multiple functions within them that take advantage of critical Windows components. These functions may result in .EMPTY ransomware to modify crucial registry entries on the user’s computer, adding registry strings to change different Windows settings. One of the strings added may be located in the Run and RunOnce Windows registry sub-keys, responsible for running malicious files automatically on Windows start up. The sub-keys have the following location:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Not only this, but the .EMPTY files variant of CryptoMix may also execute a batch (.bat) file that may delete the shadow volume copies on the compromised computer. This file may contain the following administrative Windows command:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Among the files that may be executed may also be the ransom note dropped by the .EMPTY virus. It has the following contents:

Attention! All Your data was encrypted!
For specific information, please send us an email with Your ID number:
We will help You as soon as possible!

The virus then proceeds to encrypt the files on the infected computer, resulting in them appearing with the .EMPTY file extension. Luckily most CryptoMix ransomware variants are decryptable without you having to pay any ransom at all. Continue reading this article to learn how to remove the virus and decrypt your files for free.

Remove .EMPTY CryptoMix from Your PC

Before beginning to remove this virus, we strongly suggest you to backup all of your encrypted files, just in case. Then, you can proceed removing the .EMPTY files ransomware from your computer, preferably by following the instructions underneath.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share