A ransomware crypto-virus called Crypren popped up a couple of days ago. The virus will lock files and append an extension .encrypted to all of them. The ransom money that Crypren demands is around 45 US dollars. To see how to remove the ransomware and what you can try to restore your files, you should read this article to its end.
|Short Description||The ransomware encrypts files with .encrypted extension and demands a ransom of around 45 US dollars.|
|Symptoms||The ransomware targets around 60 different file extensions for encryption. READ_THIS_TO_DECRYPT.html file is created with instructions inside.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Crypren |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Crypren.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Crypren Ransomware – Delivery Methods
Crypren ransomware is delivered in a couple of ways. As most other ransomware viruses out there, spam emails are the common method of getting infected with this ransomware. The emails deliver the malicious code from attached files. These attachments come with a story of how you made a purchase of something or you are awaiting a shipment from eBay, DHL or other such nonsense.
Do not feel curious, because even just downloading the attachment can execute Crypren. Always check the exact email address of the sender and check in other ways if a purchase has been made from your account or you have some package coming.
Social media websites and services for file-sharing might also be a common way to spread this infection. The best prevention tactic is to steer clear of suspicious files and not click, nor download, any files or messages of unknown origin.
Crypren Ransomware – Description
Crypren is the name of this new encrypting ransomware virus. It emerged a couple of days ago, spreading with spam emails. The emails try to convince people that they have a shipment or some package to be delivered to them to attract their attention. If they open the attached file, their files get encrypted.
A file READ_THIS_TO_DECRYPT.html is created after successful encryption.
The file READ_THIS_TO_DECRYPT.html contains instructions for paying the ransom and is put in each folder that has encrypted files. The file can be seen in the picture down here:
The file reads the following:
YOUR PERSONAL FILES HAS BEEN ENCRYPTED
Your data (photos, documents, databases, etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.
The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don’t know how to get Bitcoins, you can click the button “How to buy Bitcoins” below and follow the instructions. If you have problem with this task use internet.
You have only 1 week to submit the payment. When this time ends, the unique key will be destroyed and you won’t be able to recover your files anymore.
YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!
To recover your files, you must send 0,1 Bitcoins ( ~$37 ) to the next Bitcoin address…
The ransom note is pretty straight-forward. The price which is asked as ransom money is 45 US dollars, and to be paid within one week. According to the instructions, the price won’t rise after that period, but all of your files will get erased.
Do NOT pay the ransom. Doing so will only help fund the creator of this virus and possibly inspire him and others to make similar malware. You cannot know for sure if you will get your files back by paying. Plus, you have a week to restore your files – read further to find out how you can get your files back.
The Crypren ransomware encrypts files with around sixty different extensions. The encryption process is believed to use an RSA-2048 bit cryptosystem with 256-bit AES algorithm. The extensions that the ransomware seeks to encrypt are the following:
→.html, .jpg, .jpg2, .mdb, .mp3, .mp4, .mp4infovid, .mp4v, .pdf, .php, .php3, .png, .ppt, .pptm, .pptx, .accdb, .accde, .accdr, .accdt, .bmp, .cpp, .cs, .css, .csv, .csy, .doc, .docm, .docx, .docxml, .docz, .gif, .gzip, .py, .rar, .rar5, .rb, .rtf, .sql, .sqlite, .sqlite3, .sqlitedb, .swf, .swfhtml, .tar, .targz, .targz2, .tarlzma, .tarxz, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .zip, .zipx
The list of file extensions given above might be incomplete, but these will be encrypted for sure. After the encryption process is finished, all of the files will have the same extension – .encrypted.
Crypren ransomware is known to delete Shadow Volume Copies from the Shadow Explorer process in the Windows Operating System.
Remove Crypren Ransomware and Restore .encrypted Files
If your computer is infected with the Crypren ransomware, you should have a bit experience with removing viruses. You should get rid of this ransomware as soon as possible because it can encrypt more files and spread deeper into the network. We recommend that you remove this ransomware and then follow the step-by-step instructions provided herein. There you will also find a decryptor.