.FILE Ransomware Virus (CryptoMix) – How to Remove + Decrypt Files

.FILE Ransomware Virus (CryptoMix) – How to Remove + Decrypt Files

This article has been created in order to help you by explaining what is .FILE CryptoMix ransomware variant, how to remove it and how to try and restore files that have been encrypted on your computer.

A new CryptoMix ransomware variant has been released following the latest .TEST variant which came put back in December 2017. The new virus uses the .FILE extension to encrypt the files on the computers infected by it, after which drops a _HELP_INSTRUCTION.TXT ransom note, which asks from victims to pay a hefty ransom fee depending on the importance of the files and how they negotiate it by contacting the cyber-crooks on one of the many “file1” e-mails in the ransom note. If your computer has been attacked by the .FILE cryptomix ransomware, we recommend that you read the following article.

Threat Summary

Name.FILE Ransomware
TypeRansomware, Cryptovirus
Short DescriptionA variant of CryptoMix ransomware virus family. Aims to encrypt the files, making them unopenable and then ask a ransom payment to be made for their decryption.
SymptomsThe files on the infected computer are encrypted with an added .FILE extension to their name and a ransom note, called _HELP_INSTRUCTIONS.TXT is dropped on the victim’s PC. Files names are changed to random ones.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .FILE Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .FILE Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.FILE CryptoMix Virus – How Did My PC Get Infected

There are multiple methods by which the .FILE ransomware iteration may infect your computer system, however one is always peferred by ransomware authors and has so far been mostly used by the CryptoMix ransomware family – e-mail spam messages. Such spam e-mails often aim to perform various different deception techniques to get you as a victim to click on attachments within those e-mails or web links that lead to automatic download of the malicious infection file. The e-mails may pretend to be coming from legitimate companies from the likes of FedEx, Amazon, DHL, PayPal and other important companies. They may pretend that the attachment sent to you is a legitimate document of importance, like:

  • An invoice for a purchase.
  • A receipt.
  • Order confirmation file.
  • Fake digital signature.
  • Fake bank account activity report.

The e-mails may be masked with fake claims in them coming from responsible employees of those companies, like the image below displays:

In addition to malicious executable files within archives, the infection files may also be Microsoft Office documents which may contain malicious macros within them. Once the victim opens the document and clicks on “Enable Content” to see what is in it, the Macros are triggered.

.FILE Ransomware – Activity and Information

As soon as the .FILE ransomware virus has caused an infection on your computer system, the ransomware drops two types of files. One is it’s ransom note file _HELP_INSTRUCTION.txt, containing the following ransom note:

Attention! All Your data was encrypted!

For specific informartion, please send us an email with Your ID number:

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Please send email to all email addresses! We will help You as soon as possible!



Besides the ransom note, .FILE ransomware also drops a randomly named executable file, which is the malicious file responsible for the encryption process. It is located in the %Program Data%M folder.

As soon as the malicious file created by this ransomware virus have been dropped on your computer, it runs a script that makes it to obtain administrative privileges on your computer. The .FILE ransomware variant of CryptoMix, then executes the same commands like the older variants of the malware, plus new commands in the Windows Command Prompt. The commands are the following:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.FILE Ransomware – Encryption Process

The encryption process of this virus begins with looking for specific file types to encipher. These are often the types of files that are used very often, like documents, archives, videos, files associated with programs that are used very often, like Adobe Photoshop, Reader and other software. The files are targeted by their file extensions and types, the most commonly used of which are the following:


After the encryption has completed, the .FILE CryptoMix ransomware variant also renames all of the encrypted files in order to make them no longer recognizable. The files assume the following looks:

Remove .FILE Ransomware and Restore Encrypted Files

In order to get rid of this ransomware infection, it is important to follow the removal instructions down below to remove .FILE virus files either manually or automatically. But since this virus may also perform other side activities and create other files and objects on your PC, experts often advise to download an advanced anti-malware software. Such will help you remove .FILE ransomware automatically from your PC and protect it against all types of intrusions and unwanted software.

In order to try and decrypt files, that have been encrypted by the .FILE ransomware virus, we advise you to use the decryption instructions after the removal manual. In the event that you fail, you may attempt to use the alternative methods for file recovery in step “2. Restore files encrypted by .FILE Ransomware”.

1. Boot Your PC In Safe Mode to isolate and remove .FILE Ransomware files and objects
2.Find malicious files created by .FILE Ransomware on your PC

Automatically remove .FILE Ransomware by downloading an advanced anti-malware program

1. Remove .FILE Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .FILE Ransomware

.FILE Ransomware – Decryption Process

Before any decryption process by this virus begins, recommendations are to use an advanced anti-malware tool to remove the infection and then to back-up the encrypted files by creating several copies of them on different removable drives or in the cloud.

Then, we advise you to follow these steps:

Step #1: Download “CryptoMix Fix” tool from Avast’s website. Link to the download page, you can locate below:


Make sure to save the file somewhere where you can easily find it:

Step #2: Run the program and click on the “Next” button.

Step #3: Choose the drive which you want to be scanned for encrypted files and click on “Next” once more. You can also add a folder that has important files, by clicking on the “Add Folder” button on the bottom-right:

Step #4: Find an original file and it’s encrypted analogue. If you struggle finding an original file, please check the default Windows folders of a non-infected PC with the same version of Windows as yours:

→ For newer Windows (8, 8.1, 10):
For Windows 7 and earlier:

Step #5: Upload the files in the blank fields of the next step of the Avast CryptoMix Fix decryptor:

Step #6: Paste the password from your version of CryptoMix in the next field in case you know it:

And now all that is left is to run the decryptor and it will begin to do it’s magic.

.FILE CryptoMix Decryption – The Bottom Line

As a conclusion, it is vital to know that if you have decrypted your files successfully, you are in great luck, because there are many ransomware victims who still haven’t. This is why we at SensorsTechForum are committed to educating users how to avoid such infections before they even happen. To learn how to prevent ransomware viruses and other malware infections from infecting your computer via e-mail, please read the related article below:

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share