Remove Crypt38 Ransomware and Restore .crypt38 Files - How to, Technology and PC Security Forum |

Remove Crypt38 Ransomware and Restore .crypt38 Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Crypt38 and other threats.
Threats such as Crypt38 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy


A ransomware dubbed Crypt38 was found recently by Fortinet researchers. The name comes from the extension it appends to encrypted files, namely .crypt38. The ransom money it demands as payment is 1000 Rubles or roughly 15 US dollars, with the ransom note written in Russian.

To know how to remove the ransomware and what to do to restore your files, you should read this article to its very end.

Threat Summary

Short DescriptionThe ransomware uses an AES algorithm and encrypts files appending the extension .crypt38 to them.
SymptomsThe ransomware will lock your files and display a ransom note in Russian. Inside it is written that you have to pay around 15 US dollars for file decryption.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection Tool See If Your System Has Been Affected by Crypt38


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Crypt38.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Crypt38 Ransomware – How Is It Spread?

Crypt38 ransomware is possibly spread with spam emails. Such emails have attached files. The malicious code is hidden inside such attachments most of the time. The interesting thing is that emails like that might infect your computer through the body of the email if it contains malicious code.

Social media services and those for file-sharing might include hidden malware files uploaded by the criminals. To avoid getting infected by malware such as this could be done if you are very careful around what you click, open and download when browsing the Web. Suspicious files and links could be dangerous, particularly if they are of an unknown origin.

Crypt38 Ransomware – Technical Overview

Crypt38 is the name given to ransomware, recently found by Fortinet researchers. The name comes from the extension it creates. After the encryption process is complete, it will display the following email address – [email protected](.)ru.

The ransomware will create the file lsass.exe, in the following directory:


After that “Autorun” will be enabled for the malware file with this entry in the Windows Registry:

→HKCU\Software\Microsoft\Windows\CurrentVersion\Run lsass (value)

After encryption, the Crypt38 ransomware creates the ransom note file. The payment instructions will be given there (in Russian). Here is a picture of the file:


The file’s text is written in Russian, and it states the following:

Ваши данные зашифрованы!
Стоимость расшифровки: 1000 рублей
Код разблокировки: / Расшифровать
Ваш ID: [random numbers] Отправьте его на [email protected]

Не удаляйте и не редактируйте файлы .crypt38 и файлы вируса, иначе восстановить данные не получится!

The demanded ransom price is 1000 Rubles, which is around 15 US dollars. There is a warning, which states not to tamper with encrypted files in any way. The payment instructions are written entirely in Russian, but not only Russian speaking countries may be targeted. Do not pay the ransom is a sound advice here. Paying will support the ransomware creators, but it will not guarantee the restoration of your files.

The Crypt38 ransomware uses an AES algorithm for encryption. File extensions which the ransomware searches to encrypt are these:


→.svg, .indd, .cpp, .pas, .php, .cs, .py, .java, .class, .fla, .pl, .sh, .jpg, .jpeg, .jps, .bmp, .tiff, .avi, .mov, .mp4, .amr, .aac, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf, .html, .rtf, .dwg, .cdw, .max, .psd, .3dm, .3ds, .dxf, .ps, .ai, .accdb, .odt, .odp, .odx, .ibooks, .xlp, .db, .dbf, .mdf, .sdf, .mdb, .sql, .rar, .7z, .zip, .vcf, .cer, .csr, .torrent, .otl, .report, .key, .csv, .xml

When the encryption process is complete, every file will have the same extension as an appendix – .crypt38. What makes the encryption process rather slow, however, is that the ransomware manually enumerates drive letters in the following sequence:

C:\, D:\, E:\, Z:\, Y:\, X:\, W:\, V:\, F:\, G:\, H:\, I:\, J:\, K:\, U:\, T:\, S:\, R:\, Q:\, L:\, M:\, N:\, O:\, P:\, A:\, B:\

The ransomware will also exclude locking files from strings containing the following:

  • Windows
  • msocache
  • Program Files (x86)
  • Program Files

Crypt38 ransomware might also delete the Shadow Volume Copies service from the Windows operating system. That is not important, given the fact that there is a way to decrypt your files. Read below to see what researchers have found about the encryption process.

Remove Crypt38 Ransomware and Restore .crypt38 Encrypted Files

If your computer is infected by the Crypt38 ransomware, you should have experience with malware removal. You should remove the ransomware as fast as possible as it could encrypt more files spread deeper in the network you use. The recommended action for you is to remove the ransomware completely and follow the step-by-step instructions guide given down below.

Note! Your computer system may be affected by Crypt38 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Crypt38.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Crypt38 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Crypt38 files and objects
2. Find files created by Crypt38 on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Crypt38

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share