.EMPTY Files Virus – How to Remove and Decrypt Files for Free

.EMPTY Files Virus – How to Remove and Decrypt Files for Free

This article aims to provide instructions and information on how to remove .EMPTY file ransomware virus and how to restore files that have been encrypted by it.

The CryptoMix family of ransomware viruses has received new update and this time it uses the .EMPTY file extension. The ransomware aims to encrypt each important file on your computer leaving behind a ransom note. The note demands to contact the cybercriminals on one of three different e-mails provided and eventually receive further instructions on how to pay ransom In return of the encrypted file.

Threat Summary

Name.EMPTY File Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer and then demands victims to pay a hefty ransom fee in order to decrypt them. Decryptable for free.
SymptomsFiles are encrypted with the added .EMTPY file extension as the picture above displays. Users are asked to contact the cyber-criminals via e-mail.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .EMPTY File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .EMPTY File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.EMPTY Files Virus – How Does It Spread

For this virus to be widespread it may us various different methods, the main of which may be e-mail spam. The e-mail messages that may spam the .EMPTY ransomware virus may contain convincing statements whose end goal is to get the victim of the ransomware virus to open the malicious infection file, like the example statement below:

  • Financial Activity Statement Keep track of your account with your latest Online Financial Statement from NatWest Bank.
  • Please download and view Microsoft Word attachment.
  • So check out your statement right away, or at your earliest convenience.
  • Thank you for managing your account online. Sincerely, NatWest Bank.

Besides an infected Microsoft Word document that may contain malicious macros, the e-mails may also carry other type of malicious executables, one of which has been reported on VirusTotal.com to be the following:

.EMPTY File Virus – More Information

Once the victim becomes infected with the .EMPTY variant of CryptoMix, the virus may initially drop the malicious files on the user’s computer. The files may exist under different names and be located in the commonly targeted Windows folders below:

After the files of .EMPTY ransomware are dropped on the user’s computer, the malware may begin it’s malicious activity. It executes the payload files which run in the background as processes. Those files are obfuscated so that any security software running on the computer fails to detect them. They contain multiple functions within them that take advantage of critical Windows components. These functions may result in .EMPTY ransomware to modify crucial registry entries on the user’s computer, adding registry strings to change different Windows settings. One of the strings added may be located in the Run and RunOnce Windows registry sub-keys, responsible for running malicious files automatically on Windows start up. The sub-keys have the following location:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Not only this, but the .EMPTY files variant of CryptoMix may also execute a batch (.bat) file that may delete the shadow volume copies on the compromised computer. This file may contain the following administrative Windows command:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Among the files that may be executed may also be the ransom note dropped by the .EMPTY virus. It has the following contents:

Attention! All Your data was encrypted!
For specific information, please send us an email with Your ID number:
[email protected]
[email protected]
[email protected]
We will help You as soon as possible!

The virus then proceeds to encrypt the files on the infected computer, resulting in them appearing with the .EMPTY file extension. Luckily most CryptoMix ransomware variants are decryptable without you having to pay any ransom at all. Continue reading this article to learn how to remove the virus and decrypt your files for free.

Remove .EMPTY CryptoMix from Your PC

Before beginning to remove this virus, we strongly suggest you to backup all of your encrypted files, just in case. Then, you can proceed removing the .EMPTY files ransomware from your computer, preferably by following the instructions underneath.

Manually delete .EMPTY File Virus from your computer

Note! Substantial notification about the .EMPTY File Virus threat: Manual removal of .EMPTY File Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .EMPTY File Virus files and objects
2.Find malicious files created by .EMPTY File Virus on your PC

Automatically remove .EMPTY File Virus by downloading an advanced anti-malware program

1. Remove .EMPTY File Virus with SpyHunter Anti-Malware Tool and back up your data

.EMPTY File Ransomware – Decryption Process

Before any decryption process by this .EMPTY virus begins, recommendations are to use an advanced anti-malware tool to remove the infection and then to back-up the encrypted files by creating several copies of them on different removable drives or in the cloud.

Then, we advise you to follow these steps:

Step #1: Download “CryptoMix Fix” tool from Avast’s website. Link to the download page, you can locate below:


Make sure to save the file somewhere where you can easily find it:

Step #2: Run the program and click on the “Next” button.

Step #3: Choose the drive which you want to be scanned for encrypted files and click on “Next” once more. You can also add a folder that has important files, by clicking on the “Add Folder” button on the bottom-right:

Step #4: Find an original file and it’s encrypted analogue. If you struggle finding an original file, please check the default Windows folders of a non-infected PC with the same version of Windows as yours:

→ For newer Windows (8, 8.1, 10):
For Windows 7 and earlier:

Step #5: Upload the files in the blank fields of the next step of the Avast CryptoMix Fix decryptor:

Step #6: Paste the password from your version of CryptoMix in the next field in case you know it:

And now all that is left is to run the decryptor and it will begin to do it’s magic.

.EMPTY CryptoMix Decryption – The Bottom Line

Ransomware viruses are becoming more and more widespread and in more variants as well. While some, such as CryptoMix .EMPTY are decryptable, some viruses are still non-decodable, which is why we advise you to learn how to protect yourself from getting infected with them.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share