Remove Cryptolocker V3 Ransomware and Restore .crypted Files - How to, Technology and PC Security Forum |

Remove Cryptolocker V3 Ransomware and Restore .crypted Files

A new version of one of the pioneers in ransomware infections, called Cryptolocker has risen from the depths of the Dark Web. The ransomware creates different modules that serve various purposes. It may also tamper with the Windows Registry Editor to run its modules every time Windows starts. Version 3 of Cryptolocker may be identified by the .crypted file extension on the affected user’s files. All users who have come across this ransomware are advised not to obey the ransom payment instructions which Cryptolocker leaves after encrypting the data and try using the alternative tools and methods for removal and restoration.

NameCryptolocker V3
TypeRansomware Trojan
Short DescriptionThe Trojan creates registry files, connects to remote hosts and encrypts user files of various formats, asking for a ransom to decrypt them.
SymptomsThe user may be unable to open his files and may witness a .crypted extension after them.
Distribution MethodVia malicious URLs or mail attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Cryptolocker V3
User ExperienceJoin our forum to follow the discussion about Cryptolocker V3.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Cryptolocker V3 – How Did I Get Infected

One way to become a victim of this vile threat is by opening a malicious email attachment or clicking on a URL from such spam messages. Usually cyber criminals tend to mask the spam mails they send by resembling a reputable service. Here are few examples of what fraudulent spam mails may look like:

  • “Your free Windows 10 Upgrade Is Here.”
  • “Get your free 100 songs from Itunes Now.”
  • “Your PayPal account has been suspended.”
  • “The files you requested.”
  • “You have won a free trip from our eBay lottery.”
  • “Free Amazon gift cards.”

Furthermore, cyber criminals tend to mask the malicious payload by obfuscating its files via special software or archiving it in a .zip, .rar or other archived formats so that it does not get blocked by the email website. Users should be very careful and always perform a scan of the files they download. It is also recommended to double check web-links that are shared to some degree because checking any link you open would be frustrating. This is why it is good to have a browser extension that blocks malicious links from opening.

Cryptolocker V3 Ransomware – More About It

Symantec researchers have analyzed this Trojan and have established that once activated on your computer, the ransomware creates its payload:

In %Application Data% of %User Profile%:
.exe file with random characters, for example 08210e209u18.exe

On the user’s desktop:

The malicious threat then creates the following registry objects:

In the key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\” value with the data: “crypto13” = “%UserProfile%\Application Data\[the file with random characters].exe”

After this, Cryptolocker V3 begins to encrypt user files. Symantec have reported it to corrupt files with these extensions:

.7z .rar .m4a .wma .avi .wmv .csv .d3dbsp .sc2save .sie .sum .ibank .t13 .t12 .qdf .gdb .tax .pkpass .bc6 .bc7 .bkp .qic .bkf .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .svg .map .wmo .itm .sb .fos .mcgame .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .001 .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .DayZProfile .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .sav .lbf .slm .bik .epk .rgss3a .pak .big .unity3d .wotreplay .xxx .desc .py .m3u .flv .js .css .rb .png .jpeg .txt .p7c .p7b .p12 .pfx .pem .crt .cer .der .x3f .srw .pef .ptx .r3d .rw2 .rwl .raw .raf .orf .nrw .mrwref .mef .erf .kdc .dcr .cr2 .crw .bay .sr2 .srf .arw .3fr .dng .jpe .jpg .cdr .indd .ai .eps .pdf .pdd .psd .dbfv .mdf .wb2 .rtf .wpd .dxg .xf .dwg .pst .accdb .mdb .pptm .pptx .ppt .xlk .xlsb .xlsm .xlsx .xls .wps .docm .docx .doc .odb .odc .odm .odp .ods .odt

After the encryption process for a file is complete the .crypted file extension is added, for example:


Furthermore, the Trojan may connect to these hosts:

  • 7tno4hib47vlep5o(.)tor2web(.)blutmagie(.)de
  • 7tno4hib47vlep5o(.)tor2web(.)fi
  • 7tno4hib47vlep5o(.)tor2web(.)org

What is more Cryptolocker V3 changes the desktop wallpaper of the affected machine with the following:

symantec-sensorstechforum-cryptolocker-v3Source: Symantec Security Response

Also, it displays a message box, which includes In-depth instructions on how to pay the ransom money and restore the files.

2015-030201-5710-99.1Source: Symantec Security Response

Remove Cryptolocker V3 Completely

To remove this cyber threat from your computer, it is recommended to act as if you were infected with any other Trojan horse. The difference is that the Trojan may affect your files. This is why it is advisable to disconnect from the internet copy the encrypted data to an external drive before attempting any removal.

One way to remove the cyber threat is by following the after-mentioned removal instructions:

1. Boot Your PC In Safe Mode to isolate and remove Cryptolocker V3
2. Remove Cryptolocker V3 with SpyHunter Anti-Malware Tool
3. Remove Cryptolocker V3 with Malwarebytes Anti-Malware.
4. Remove Cryptolocker V3 with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Cryptolocker V3 in the future

Restore .crypted Files

Since Cryptolocker V3 claims to use an RSA 2048 encryption algorithm you should try restoring your files using each of the following methods and tools:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptor for files encrypted with the RSA encryption algorithm:
Kaspersky RectorDecryptor

The other method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share