How to Remove AxCrypter Ransomware and Restore .Axx Encrypted Files - How to, Technology and PC Security Forum |

How to Remove AxCrypter Ransomware and Restore .Axx Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

^F6C5D3198FFFB3C58556FB3D75D0F7358ABC1B05868C419EB6^pimgpsh_fullsize_distrA crypto-virus also known as AxCrypter ransomware has become the reason for many users complaining to have had their files encrypted. What this malware does is that it may use a strong cipher to encode the files of affected users after which ask for around $2500 dollars from the user to give them back. Infected users are advised not to pay the ransom money and wait for a decrypter to be released by researchers. In the mean-time it is recommended to remove the ransomware and try to restore your files using the instructions posted in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with a strong cipher and asks a ransom for decryption in Italian.
SymptomsFiles are encrypted with the .axx file extension and become inaccessible. A ransom note with instructions for paying the ransom shows as a text file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by AxCrypter


Malware Removal Tool

User ExperienceJoin our forum to Discuss AxCrypter Crypto Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

AxCrypter Ransomware – How Did I Get It

Similar to Locky Ransomware, AxCrypter is a tricky threat. It may use the so-called process obfuscation to infect a computer without being detected by any security software that might be installed. Such obfuscated payloads may be distributed to the user via:

  • Malicious URLs.
  • Malicious attachments.
  • Fake software installers.
  • Keygens, crackfixes or other .exe files downloaded from suspicious websites.
  • Via exploit kits or malicious javascript as a result of a suspicious browser redirect.

AxCrypter Ransomware – More about It

Once AxCrypter has been executed on the infected computer, it may create a malicious executable in one of the following folders:

  • %AppData%
  • %Roaming%
  • %User’s Profile%
  • %Temp%
  • %Local%
  • %Windows%

The malicious file may be more than one and contain different names, for example:

  • Svchost.exe
  • Notepad.exe
  • B3028n32921.tmp
  • Pac-Man.dll
  • Keygen.exe/span>

After creating those files, AxCrypter may create a registry entry to run its encryption module every time you start Windows. The registry keys that may be modified as a result of that might be the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to that, the ransomware may delete the shadow volume copies of the infected computer by executing a vssadmin command with escalated privilige. The command may contain all or some of the following parameters:

→ vssadmin delete shadows /for={Volume of the drive} [/oldest | /all | /shadow={ShadowID} [/quiet]

After this may be done, AxCrypter may begin to encrypt the user’s files. The malicious ransomware virus is believed to scan for the most used types of files and encrypt them adding a .axx extension:


After the files have been encrypted, AxCrypter drops the following ransom note to explain the situation to affected users:

→ “I encrypt some data that I believe are important to your system.
Only your server to encrypt your data so you can bring me back again,
* .axx Extension with its own place in your home directory or disk “reserves” named
After you hide the folder, it will not be brought back to delete data by writing over the original.
If your data again working my way wish to install on your server Eders new me
Please contact via e-mail. Create your ip necessarily the subject of the e-mail you write.
I demand from you to your system cost $ 2,500. If we agree on,
I will send the necessary information to transfer you the money gönfer.
control the delivery of a currency that you sent me (at the latest half an hour) then your system
I made it to connect older.”Source: Infected Users

AxCrypter – Conclusion, Removal and Restoring Your Files

The bottom line for AxCrypter is that this crypto-virus is focused only on very important files for the users, a strong indicator of which is the vast $2500 ransom amount it extorts users for. So far it has been reported by malware researchers not to be this widespread. Researchers strongly believe that a hacker may have gained access to a server belonging to the legitimate encryption software, named AxCrypt and started using its modules to create the virus and encrypt data.
However, we recommend you NOT to pay the ransom money in case you have been infected.
AxCrypter can be removed manually and automatically, and we have provided instructions for both methods below. It is advisable, however, to take the automatic approach because some ransomware may be part of a RaaS(Ransomware-as-a-Service) scheme, suggesting that they may create different files and different registry entries. Using an anti-malware tool will help identify those objects and remove them permanently and also protect you in against future threats as well.

Unfortunately, there is no decryptor that has been provided against AxCrypter. However, you may want to try the alternative solutions in step “3. Restore files encrypted by AxCrypter” below. They may not be 100 percent successful, but you might still have a chance to decode even a small portion of your files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share