Remove Crypton Ransomware and Restore _crypt Files - How to, Technology and PC Security Forum |

Remove Crypton Ransomware and Restore _crypt Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


Crypton ransomware is the newest bilingual cryptovirus that has been found. Malware researchers from the MalwareHunterTeam have made the discovery. The payload of the virus tries to trick users that it is WinRar. The virus will encrypt your files and place “_crypt” as the ending of their name. A ransom message appears after that, and depending on the language you prefer to use on your system, the note will be written either in Russian or English. To see how to remove this ransomware and how you can try to restore your data, read the full article.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and then display a ransom note with instructions for payment either in the English or Russian language.
SymptomsThe ransomware will encrypt your files and place _crypt to the back of their names.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by Crypton


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Crypton.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Crypton Ransomware – Infection

Crypton ransomware can spread its infection in multiple ways. The most common of those ways is with a payload file disguised as a WinRar installer setup. If you download that file and load it, the malicious script will get executed and will infect your computer. You can see the analysis of VirusTotal of the executable file containing the payload, from the picture below:


Crypton ransomware might be spreading its payload file around social media networks and file-sharing services. WinRar could be just one of many other legitimate applications that can contain the malicious payload script. A lot of freeware and bundled apps could be promoted as useful but hide the entry point for the ransomware. Do not open files from dubious sources like emails and links, especially not right after you download them. First, you should do a scan with a security tool and check their size and signatures for anything suspicious. Read the tips for ransomware prevention in the forum section.

Crypton Ransomware – Technical Analysis

The Crypton ransomware is also a cryptovirus. Malware researchers from the MalwareHunterTeam have discovered it in the wild.

After your files get encrypted, they will receive _crypt appended to the back of their names, before their extension. Crypton ransomware might create entries in the Windows Registry to achieve persistence. Those registry entries are designed to make the virus launch automatically with each boot of the Windows Operating System.

After your files are encrypted, a ransom note will pop up on your desktop screen. That note contains the instructions and demands of the cybercriminals for unlocking your files. A short ransom message is also being included in a readme_encryption.txt file.

You can see the ransom note in English below:

stf-crypton-ransomware-virus-ransom-message-english-noteImage Source: MalwareHunterTeam

That ransom note reads the following:

All data on you PC is encrypted!
To decrypt your data, you need to pay the amounts shown below.
Please note that the payment confirmation may take some time (from 1 hour to 1 day).
All this time, the program must be running and have an internet connection.
After the successful confirmation of payment – decoding will start automatically.
Read more about how to make a payment using Bitcoin can be found on the internet network.
In destination address – specify the Bitcoin address, listed below.
Keep in mind that the services may charge a fee for the payment, it is important that we must …
It is not recommended to attempt to recover the data, or remove this program! This can lead to a complete loss of your data forever! To restore data, you must be connected to the Internet.
Bitcoin address:
Payment amount: BTC по курсу в валюте check payment status

The same note in the Russian language:

stf-crypton-ransomware-virus-ransom-message-russian-noteImage Source: MalwareHunterTeam

It reads the following:

Ваши данные зашифрованны!
Для расшифровки ваших данных, вам необходимо оплатить указанную ниже сумму.
Обратите внимание, что подтверждение платежа может занять какое то время (от 1 часа до 1 дня).
Все это время, программа должна быть запущена и иметь соединение к интернет.
После успешного подтверждения платежа – расшифровка запустится автоматически.
Подробнее о том как произвести оплату с помощью Bitcoin можно найти в сети internet.
Наример можно воспользоваться сервисом
Крайне не рекомендуется пытаться самостоятельно восстановить данные, или удалять эту программу! Это может привести к полной потере ваших данных навсегда! Для восстановления данных необходимо подключение к интернет.
Текущий статус:
Bitcoin адрес:
Сумма к оплате: BTC по курсу в валюте проверить статус платежа

The short ransom message looks like this:


You can see that it is contained in the readme_encryption.txt file and reads the following:

This files are encrypted! Follow the instructions on the screen.
Эти файлы зашифрованы! Следуйте инструкции на экране.
ID: [Redacted]

There are also Command&Control (C&C) servers associated the ransomware. You should NOT even think of paying the cybercriminals. This will only support them financially, and nobody can guarantee that your files will get decrypted after payment.

The Crypton ransomware encrypts files and puts _crypt suffix to the names of each one of them. That suffix is put before their file extension, so if a file called Work document.doc will become Work document_crypt.doc. The encryption algorithm that is used is unknown. A list with all file extensions that the virus searches to encrypt are shown right here:

→.xls, .xlsx, .doc, .docx, .txt, .tbb, .tbn, .cd, .cdr, .db, .dbx, .dbf, .pdf, .rtf, .tiff, .jpg, .png, .mdb, .vsd, .jpg, .psd, .pst, .ppt, .pptx, .xml, .htm, .html, .mht, .zip, .rar, .7z, .dat

Source: MalwareHunterTeam

The Crypton cryptovirus is quite likely to erase the Shadow Volume Copies from the Windows operating system by using the command down here:

→vssadmin.exe delete shadows /all /Quiet

Read further to find out what kinds of methods you can try to restore some of your data files.

Remove Crypton Ransomware and Restore _crypt Files

If your computer got infected with the Crypton ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Crypton.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share