Remove CryptoSweetTooth Ransomware and Restore .locked Files

Remove CryptoSweetTooth Ransomware and Restore .locked Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you remove the CryptoSweetTooth ransomware fully. Follow the ransomware removal instructions given at the end of the article.

CryptoSweetTooth ransomware is a cryptovirus that is a variant of HiddenTear. One of the payload files is called BitCoin.exe and the extension it places to all files after encryption is .locked. When your files become encrypted, the CryptoSweetTooth virus shows a ransom note with instructions for payment written in Spanish. Read on and see what ways you could try out to potentially restore some of your data.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and after that it displays a ransom note.
SymptomsThe ransomware will encrypt your files and put the .locked extension on them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CryptoSweetTooth


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptoSweetTooth.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoSweetTooth Ransomware – Delivery Tactics

CryptoSweetTooth ransomware could be delivered by using different tactics. The dropper for the payload file which initiates the malicious script of the ransomware is found on the Web by the name BitCoin.exe, although it is renamed to hide its true nature in most cases. You can see the analysis of that executable file from the screenshot of the VirusTotal website, right here:

CryptoSweetTooth ransomware could also be using the tactic to deliver the payload file dropper via social media and file-sharing websites. Freeware applications found on the Internet could be promoted as useful but also could hide the malicious files of this virus. Don’t immediately open files after you have downloaded them, especially if they come from dubious sources, such as links and emails. You should first scan them with a security tool and check the size and signatures of all files for anything suspicious. You should read the ransomware prevention tips thread in the forum.

CryptoSweetTooth Ransomware – Technical Analysis

CryptoSweetTooth ransomware is a cryptovirus, that is a variant of the open-source ransomware project HiddenTear, according to malware researchers. When the CryptoSweetTooth ransomware encrypts your files, it will append the extension .locked to them as an extension on each encrypted file.

CryptoSweetTooth ransomware might make entries in the Windows Registry to achieve perseverance. These registry entries are typically designed in a way that will start the virus automatically with each launch of the Windows Operating System.

The ransom note appears right after the encryption process is done – two files are created:


The note reveals what the demands of the cybercriminals are for decrypting your files. You can check out the ransom note from the screenshot found here:

That ransom note reads the following:

Sus fotos, videos, documentos y base de datos han sido cifrados por un poderoso algoritmo utilizando una clave única generada por esta computadora.
¿Cómo recuperar los archivos?
Para recuperar sus archivos cifrados y recibir instrucciones de seguridad para que esto no le vuelva a ocurrir, usted deberá realizar un pago de 0.5BTC y enviarlos a la siguiente dirección: ILLEoST***
Una vez realizado el pago usted deberá enviar un correo electrónico a con la dirección bitcoin que usted uso para enviar los fondos. Una vez verificado y confirmado se le responderá con el programa y contraseña para desencriptar los archivos.
¿Cómo comprar Bitcoins?
Si usted se encuentra en Argentina podrá comprar Bitcoins en las siguientes empresas:
• Satoshitango
• ArgenBTC
luego de haber realizado la compra desde cualquiera de las paginas mencionadas arriba, debera mandar los mismos a la direccion Bitcoin especificada al principio, marcada en color ROJO.

The developers of the CryptoSweetTooth virus have put their demands in the note given above. However, you should NOT follow those demands, nor contact the cyber criminals under any circumstances. If you proceed and pay them, no guarantee exists that you will recover your files. Furthermore, providing money to those crooks will just support them financially and is likely to inspire them to do more criminal activities.

For the moment, there is no list of file extensions that the CryptoSweetTooth ransomware searches to encrypt. The encryption algorithm which is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive the .locked extension appended to them. Some of the following extensions are possible to get encrypted:

→.doc, .docx, .pdf, .db, .jpg, .png, .ppt, .pptx, .txt, .xls, .xlsx, .mp3, .flv, .avi

The CryptoSweetTooth cryptovirus might delete the Shadow Volume Copies from the Windows operating system by using the following command in CommandPrompt:

→vssadmin.exe delete shadows /all /Quiet

Read on further and find out what methods you can try out to potentially restore some of your files.

Remove CryptoSweetTooth Ransomware and Restore .locked Files

If your computer got infected with the CryptoSweetTooth ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share