Remove CryptON Virus and Restore steaveiwalker@india.com_ Files

Remove CryptON Virus and Restore [email protected]_ Files

This article will help you remove CryptON virus in full. Follow the ransomware removal instructions provided at the bottom of this article.

CryptON is a ransomware cryptovirus targeted at Portuguese-speaking users. Your files will become encrypted and receive the extension [email protected]_ after the encryption process is done. Then, the CryptON ransomware displays a ransom note with payment instructions, from which it is seen to be presented as CryptoLocker. Read further to see what ways you could try out to potentially restore some of your data.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and shows a ransom note in Portuguese afterward.
SymptomsThe ransomware will encrypt your files and put the [email protected]_ extension on each of them when the encryption process finishes.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CryptON


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptON.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptON Virus – Update

Update! Malware researchers from EMSIsoft have made a decryption tool for the CryptON ransomware and is available to the public. You can download and use the CryptON decryption tool by EMSIsoft from their site.

CryptON Virus – Delivery Ways

The CryptON ransomware could be delivered by using various ways. The file which drops the payload for the ransomware containing the malicious script can be delivered through a few different sources. You can see an example of such a file, examined by the VirusTotal service, right here:

The CryptON virus could deliver the dropper for the payload on social media websites as well as services for file-sharing. Freeware programs might be promoted as helpful, but at the same time might be hiding the downloader for the payload. Don’t be opening files right after you have downloaded them, especially if an unknown source has delivered them. You should scan such files with a security tool first and afterward, check for anything that seems out of the ordinary. You can read the ransomware preventing tips topic in our forum.

CryptON Virus – Detailed Description

The ransomware cryptovirus that is discussed, was dubbed CryptON because there are instances of that phrase being mentioned in its code. The ransomware encrypts your files with a distinctively long extension, which contains an email address. One of the emails that are used is [email protected], which is connected with another Portuguese ransomware that is thought to be a variant of this one – GarryWeber ransomware.

The CryptON ransomware could make entries in the Windows Registry to achieve a higher state of persistence. Such registry entries are usually created to serve the purpose to launch the virus automatically with every boot of the Windows operating system and stop processes from running.

The CryptON ransomware is presented as a variant of Cryptolocker in Portuguese. One such evidence of that is inside the ransom note, which appears after the encryption process, and is written in a mixture of Portuguese and English. You can preview the message from the below screenshot:

The message states the following:

Sua identificacao pessoal:
id- [REDACTED] ————————-
Toda a sua informacao importante foi criptografada.
Para recuperar seus dados precisa de um descodificador.
Para receber o decodificador deve pagar pela descodificacao.
Compre 1 BTC nestes sites:
Envie 1 BTC para a decodificacao
Depois de pagar:
1. Enviar captura de ecra ou foto do pagamento para o endereco: [email protected]
2. No caso de voce nao receber uma resposta, por favor me envie um e-mail aqui: [email protected]
3. Se voce quiser permanecer anonimo ou se voce nao esta recebendo uma resposta, tente usar a mensagem bit ( e use este endereco para entrar em contato comigo:
[email protected] . Este metodo funcionara 100%.
4. No e-mail deve incluir o sua identificacao pessoal (id- [REDACTED]).
Em seguida, voce recebera o descodificador e instrucoes.
1. Voce tem 3 dias para pagar meus servicos. Apos esse periodo, voce perdera todos os seus arquivos.
2. O software anti-virus pode remover Cryptolocker, mas nao pode descriptografar seus arquivos. A unica maneira de recuperar seus arquivos – e pagar pela chave de descriptografia.
3. Informacoes para especialistas em TI:
Os dados foram criptografados com o algoritmo AES (Rijndael) com o comprimento da chave de sessao de 256 bits. A chave de sessao e criptografada com o algoritmo RSA (2048 bits). A chave publica esta incluida no Cryptolocker. A chave privada para descriptografia da chave de sessao e armazenada somente em meu banco de dados. Para quebrar essa chave, voce precisara de mais de um milhao de anos.

The above ransom message points to the ransom note that is apparently inside a file called ”COMO_ABRIR_ARQUIVOS.txt”. The ransom note states all demands of the cybercriminals, including the price, along with everything else. The note is also written in a mixture of the Portuguese and English languages. You can preview it down here:

The criminals that stand behind the CryptON ransomware virus are trying to present it as CryptoLocker ransomware. You should NOT under any circumstances pay these crooks. Nobody could guarantee if your files will get recovered or not. Furthermore, you should not ever give money to criminals, as this will probably just support them financially and motivate them to create other ransomware viruses and do more criminal activities.

CryptON ransomware searches to encrypt the following file extensions:

→.bmp, .doc, .docx, .jpg, .mp3, .pdf, .png

A full list of file extensions which can get encrypted is not out yet, but the article will be duly updated if such a list shows up. The encryption algorithm that is stated to be used is a mixture of 256-bits AES and 2048-bits RSA. Every file that gets encrypted will have one and the same extension appended to each of them, which is .id-%X%[email protected]_. The extension doesn’t affect the file names, neither their original extensions and is placed as a secondary extension.

The CryptON cryptovirus is very likely to delete the Shadow Volume Copies from the Windows Operating System by executing the following command in the Command Prompt:

→vssadmin.exe delete shadows /all /Quiet

The virus might execute more commands in the Command Prompt, too. Continue to read below and see what types of ways you can try out to potentially restore some of your files.

Remove CryptON Virus and Restore [email protected]_ Files

If your computer got infected with the CryptON ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share