Crypton ransomware is the newest bilingual cryptovirus that has been found. Malware researchers from the MalwareHunterTeam have made the discovery. The payload of the virus tries to trick users that it is WinRar. The virus will encrypt your files and place “_crypt” as the ending of their name. A ransom message appears after that, and depending on the language you prefer to use on your system, the note will be written either in Russian or English. To see how to remove this ransomware and how you can try to restore your data, read the full article.

Threat Summary
Name | Crypton |
Type | Ransomware, Cryptovirus |
Short Description | The ransomware will encrypt your files and then display a ransom note with instructions for payment either in the English or Russian language. |
Symptoms | The ransomware will encrypt your files and place _crypt to the back of their names. |
Distribution Method | Spam Emails, Email Attachments, Executables |
Detection Tool | See If Your System Has Been Affected by Crypton Download Malware Removal Tool | User Experience | Join Our Forum to Discuss Crypton. |
Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |

Crypton Ransomware – Infection
Crypton ransomware can spread its infection in multiple ways. The most common of those ways is with a payload file disguised as a WinRar installer setup. If you download that file and load it, the malicious script will get executed and will infect your computer. You can see the analysis of VirusTotal of the executable file containing the payload, from the picture below:
Crypton ransomware might be spreading its payload file around social media networks and file-sharing services. WinRar could be just one of many other legitimate applications that can contain the malicious payload script. A lot of freeware and bundled apps could be promoted as useful but hide the entry point for the ransomware. Do not open files from dubious sources like emails and links, especially not right after you download them. First, you should do a scan with a security tool and check their size and signatures for anything suspicious. Read the tips for ransomware prevention in the forum section.

Crypton Ransomware – Technical Analysis
The Crypton ransomware is also a cryptovirus. Malware researchers from the MalwareHunterTeam have discovered it in the wild.
After your files get encrypted, they will receive _crypt appended to the back of their names, before their extension. Crypton ransomware might create entries in the Windows Registry to achieve persistence. Those registry entries are designed to make the virus launch automatically with each boot of the Windows Operating System.
After your files are encrypted, a ransom note will pop up on your desktop screen. That note contains the instructions and demands of the cybercriminals for unlocking your files. A short ransom message is also being included in a readme_encryption.txt file.
You can see the ransom note in English below:
Image Source: MalwareHunterTeam
That ransom note reads the following:
Attention!
All data on you PC is encrypted!
To decrypt your data, you need to pay the amounts shown below.
Please note that the payment confirmation may take some time (from 1 hour to 1 day).
All this time, the program must be running and have an internet connection.
After the successful confirmation of payment – decoding will start automatically.
Read more about how to make a payment using Bitcoin can be found on the internet network.
In destination address – specify the Bitcoin address, listed below.
Keep in mind that the services may charge a fee for the payment, it is important that we must …
It is not recommended to attempt to recover the data, or remove this program! This can lead to a complete loss of your data forever! To restore data, you must be connected to the Internet.
Status:
Bitcoin address:
Payment amount: BTC по курсу в валюте check payment status
The same note in the Russian language:
Image Source: MalwareHunterTeam
It reads the following:
Внимание!
Ваши данные зашифрованны!
Для расшифровки ваших данных, вам необходимо оплатить указанную ниже сумму.
Обратите внимание, что подтверждение платежа может занять какое то время (от 1 часа до 1 дня).
Все это время, программа должна быть запущена и иметь соединение к интернет.
После успешного подтверждения платежа – расшифровка запустится автоматически.
Подробнее о том как произвести оплату с помощью Bitcoin можно найти в сети internet.
Наример можно воспользоваться сервисом https://xchange.cc/visa-mastercard-rur-to-bitcoin.html.
Крайне не рекомендуется пытаться самостоятельно восстановить данные, или удалять эту программу! Это может привести к полной потере ваших данных навсегда! Для восстановления данных необходимо подключение к интернет.
Текущий статус:
Bitcoin адрес:
Сумма к оплате: BTC по курсу в валюте проверить статус платежа
The short ransom message looks like this:
You can see that it is contained in the readme_encryption.txt file and reads the following:
This files are encrypted! Follow the instructions on the screen.
Эти файлы зашифрованы! Следуйте инструкции на экране.
ID: [Redacted]
There are also Command&Control (C&C) servers associated the ransomware. You should NOT even think of paying the cybercriminals. This will only support them financially, and nobody can guarantee that your files will get decrypted after payment.
The Crypton ransomware encrypts files and puts _crypt suffix to the names of each one of them. That suffix is put before their file extension, so if a file called Work document.doc will become Work document_crypt.doc. The encryption algorithm that is used is unknown. A list with all file extensions that the virus searches to encrypt are shown right here:
→.xls, .xlsx, .doc, .docx, .txt, .tbb, .tbn, .cd, .cdr, .db, .dbx, .dbf, .pdf, .rtf, .tiff, .jpg, .png, .mdb, .vsd, .jpg, .psd, .pst, .ppt, .pptx, .xml, .htm, .html, .mht, .zip, .rar, .7z, .dat
Source: MalwareHunterTeam
The Crypton cryptovirus is quite likely to erase the Shadow Volume Copies from the Windows operating system by using the command down here:
→vssadmin.exe delete shadows /all /Quiet
Read further to find out what kinds of methods you can try to restore some of your data files.

Remove Crypton Ransomware and Restore _crypt Files
If your computer got infected with the Crypton ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Crypton.
Manually delete Crypton from your computer
Note! Substantial notification about the Crypton threat: Manual removal of Crypton requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.