Remove CryptFile2 Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove CryptFile2 Ransomware and Restore Encrypted Files


Researchers from Proofpoint have revealed information about a ransomware called CryptFile2. They have given it this name, because of one of its malware samples. Proofpoint share that the ransomware has started raging in the middle of March, this year. The ransomware asks victims to contact the creators and pay an unknown sum of money in BitCoins to get their files back. Files with more than 1200 different extensions get encrypted by this ransomware.

To remove the ransomware and see how to restore your files, you should read the full article.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA algorithm and asks for payment in BitCoins.
SymptomsFiles with more than 1200 extensions are encrypted. Files with ransom instructions are put in every directory with locked files.
Distribution MethodSpam Emails, Exploit Kits
Detection Tool See If Your System Has Been Affected by CryptFile2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptFile2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptFile2 Ransomware – Delivery

CryptFile2 ransomware is delivered mainly through Exploit Kits. Although, it is not excluded there to be spam emails spreading attachments with the malware inside. The malicious code could be hidden in the body of emails as well. So, just opening such an email might trigger the silent download of the malware on your system.

Exploit kits that are discovered to deliver this threat are the well-known Nuclear Exploit Kit and Neutrino.

Your PC can get infected from exploit kits and malware code spread throughout social network sites and file sharing services. A good prevention method is to avoid all suspicious files and web links you come across.

CryptFile2 Ransomware – Information

The CryptFile2 malware is classified by researchers as ransomware. Last week, Proofpoint researchers shared details about it. They gave the ransomware that name, after a debug string in one of the samples they were investigating. If you get infected, the malware will encrypt your most important files along with lots of different file types. It is not excluded for CryptFile2 to make entries in the Windows Registry with the goal of automatically load with each start of the Windows OS.

CryptFile2 will put two files in each directory that has encrypted files. They contain the ransomware instructions and have the following names:


You can see an example of one of the files here:


You are given a random ID. The instructions read:


What happened to your files?

All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys RSA-2048 can be found here: hxxp://
How did this happen?
!!!Specially for your PC was generated personal RSA-2048 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our Secret Server.

What do I do?

So, there are two ways you can choose: wait for a miracle and get your pride doubled, or start obtaining BITCOIN NOW!, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions:

Contact is by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.


Payment is expected to be paid in BitCoins, although the ransomware creators have not specified what amount. They have put two emails for contact.

Paying whatever price as ransom to the cyber criminals is far from advised. Not only you might not your files decrypted, but you might also not even receive an answer. Giving the criminals money might inspire them to continue making ransomware or something worse. Usually, this results in a stronger and improved variant of ransomware they have created in the past.

The CryptFile2 ransomware searches to lock files with more than 1200 different extensions, according to Proofpoint security researchers. The RSA encryption algorithm is used. Some of the file extensions are:

→.3gp, .7z, .ads, .asf, .asx, .ba, .bank, .bgt, .bik, .bkp, .bpw, .cdf, .cer, .ce1, .ce2, .cgm, .class, .cls, .cpp, .craw, .csh, .csl, .csv, .ddd, .der, .dng, .dxg, .eml, .exf, .ffd, .fff, .flac, .fla, .flv, .gray, .h, .hpp, .ibd, .indd, .java, .key, .laccdb, .m4v, .maf, .mam, .maw, .mdc, .mfw, .mp4, .mpg, .mso, .ndd, .nef, .nsg, .nwb, .odc, .odf, .odg, .odp, .one, .oth, .p7b, .pat, .pbo, .pcd, .pct, .pps, .ppsm, .ppsx, .pspimage, .psafe3, .pub, .qbw, .r3d, .raf, .rar, .rat, .raw, .rwz, .sas7bdat, .sda, .srf, .srt, .srw, .stc, .std, .sti, .st, .vob, .vsd, .vtx, .wav, .wmv, .wpd, .xlc, .xlm, .xlr, .xlt, .xltm, .xltx, .m4a, .wma, .zip, .unrec, .scan, .tax, .icxs, .hkdb, .mdbackup, .syncdb, .gho, .wmo, .fos, .mov, .vdf, .tmp, .sis, .menu, .layout, .blob, .vcf, .tor, .psk, .lvl, .xxx, .wallet, .wotreplay, .desc, .m3u, .js, .rb, .hkx, .forge, .rim, .vpp_pc, .pak, .rgs, .lrf

After file encryption, all files will have an extension .id_[yourid]_[ransomemail].scl, where yourID is your personal ID number and one of the following emails will be used:


The CryptFile2 ransomware encrypts backup and temporary files found on an infected computer’s internal disk storage. If that happens, then Shadow Volume Copies are probably deleted from Windows.

Remove CryptFile2 Ransomware and Restore Encrypted Files

If your computer is infected by the CryptFile2 ransomware, you should have a little experience with removing malware. You should remove the malware as soon as possible as it may encrypt more files over the network you use or files from external storage devices if you try using a backup. So, it is recommended that you first remove the ransomware and follow the step-by-step instructions given below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share