Remove Creeper Virus — Restore .creeper Files

Remove Creeper Virus — Restore .creeper Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to help you by explaining how to remove Creeper Virus virus from your computer system and how to restore .creeper encrypted files.

The Creeper virus is a new malware threat that has just been discovered by the security community. The analysis reveals that it is not part of any of the popular malware families and follows the typical ransomware behavior patterns. It targets the commonly used user data using the built-in cipher. The processed data is renamed with the .creeper extension.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe main goal of the Creeper Virus is to encrypt sensitive user files and extort the victims for a ransom fee payment.
SymptomsThe Creeper Virus component processes target files and renames them with the .creeper extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Creeper


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Creeper.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Creeper Virus – Infection Process

The Creeper virus is distributed using the most popular delivery tactics. The hacker controllers can make use of email messages that utilize social engineering tactics. There are two main types that are considered by the criminals:

  • Hyperlinks — These email messages contain links to malware-hosted instances on hacker-controlled sites. The victims are sent links that look like items of interest.
  • File Attachments — The hackers can also attempt to use another social engineering strategy by sending out malware files that are disguised as files of interest.

The social engineering tactics can use two additional approaches. The first one is the inclusion of the malware code in documents. They can be of different types (rich text documents, spreadsheets and presentations) and they usually pose as invoices, letters, contracts and etc. Once they are opened by the victims a notification prompt will be spawned. It asks them users to enable the built-in macros. If this is done the virus infection follows.

The other tactic relies on the distribution of malware software installers. They are essentially modified setup files taken from the legitimate sites which are modified to include the dangerous code.

Another strategy relies on browser hijackers that represent malware browser plugins. They are usually made compatible with the most popular applications: Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Safari and Opera. Once they are downloaded to the victim’s computer the virus infection is started.

Creeper Virus – Analysis and Activity

The Creeper virus is a dangerous new malware that has been discovered by the security experts. At the moment no correlation with any of the famous malware families has been identified, this means that it is very likely that the threat is produced by the hacker or criminal collective behind it. It is possible that the samples may have been purchased from the hacker underground forums as well.The full security analysis is not yet complete and at the moment the full array of possible malware interactions is not known. We suspect that the virus and any of its future iterations may perform a dangerous array of hacker modifications.

The infection may begin with an information gathering that can harvest sensitive information from the compromised systems. Usually the data is classified into two main groups — anonymous data that usually consists of information related to the operating system configuration settings and the hardware components. The personal data gathered can directly expose the victim’s identity by looking out for strings related to their names, addresses, interests, location, email adresses, passwords and account credentials.

The next step would be to use the gathered information in order to scan the system for any installed instances that can interfere with its execution. This includes anti-virus products, sandbox and debugging environments and virtual machine hosts. The threat can bypass or entirely remove their real-time engines to protect itself. If it finds that it is unable to do so it can remove itself to remove infection.

System modifications that can impact the system include the modification of the Windows registry. Such changes can lead to severe performance issues and can impact the correct execution of certain applications and system services. The criminals can also opt to modify the boot options by removing the ability to access the recovery menu. This prevents the victims from using it to remove the persistent threat.

Advanced forms of ransomware like this one are also capable of removing the shadow volume copies of the discovered data – this makes it very difficult for the users to recover it. Further damage can be caused if the threat interacts with the Windows volume manager — this would allow it to impact any connected removable storage devices and network shares as well.

If a network connection is made to the hacker-controlled servers it can be used to overtake control of the affected machines, as well as deliver additional threats.

Creeper Virus — Encryption Process

As soon as the Creeper virus has finished the execution of the prior components it starts the ransomware engine. It uses a list of built-in extensions that usually target the most popular types of data:

  • Archives
  • Backups
  • Images
  • Videos
  • Music
  • Documents
  • Databases

As a result all affected data is renamed with the .creeper extension. A ransomware note is produced in a file called DECRIPT_MY_FILES.txt which has the following contents:

Decrypting your files is easy. Take a deep breath and follow the steps below.
1 ) Make the proper payment.
Payments are made in Monero. This is a crypto-currency, like bitcoin.
You can buy Monero, and send it, from the same places you can any other
crypto-currency. If you’re still unsure, google ‘monero exchange’.
Sign up at one of these exchange sites and send the payment to the address below.
Payment Address (Monero Wallet):
2 ) Farther you should send the following code: *** to email address
Then you will receive all necessary key.
Prices :
Days : Monero : Offer Expires
0-2 : 3 : 03/01/18
3-5 : 5 : 03/04/18
Note: In 6 days your password decryption key gets permanently deleted.
You then have no way to ever retrieve your files. So pay now.

How to Remove Creeper Virus and Restore .creeper Encrypted Files

In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of Creeper ransomware and secures your computer against future infections in real-time.

If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by .creeper Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share