This article will help you remove the CryptoSweetTooth ransomware fully. Follow the ransomware removal instructions given at the end of the article.
CryptoSweetTooth ransomware is a cryptovirus that is a variant of HiddenTear. One of the payload files is called BitCoin.exe and the extension it places to all files after encryption is .locked. When your files become encrypted, the CryptoSweetTooth virus shows a ransom note with instructions for payment written in Spanish. Read on and see what ways you could try out to potentially restore some of your data.
|Short Description||The ransomware encrypts files on your computer and after that it displays a ransom note.|
|Symptoms||The ransomware will encrypt your files and put the .locked extension on them.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by CryptoSweetTooth |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CryptoSweetTooth.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoSweetTooth Ransomware – Delivery Tactics
CryptoSweetTooth ransomware could be delivered by using different tactics. The dropper for the payload file which initiates the malicious script of the ransomware is found on the Web by the name BitCoin.exe, although it is renamed to hide its true nature in most cases. You can see the analysis of that executable file from the screenshot of the VirusTotal website, right here:
CryptoSweetTooth ransomware could also be using the tactic to deliver the payload file dropper via social media and file-sharing websites. Freeware applications found on the Internet could be promoted as useful but also could hide the malicious files of this virus. Don’t immediately open files after you have downloaded them, especially if they come from dubious sources, such as links and emails. You should first scan them with a security tool and check the size and signatures of all files for anything suspicious. You should read the ransomware prevention tips thread in the forum.
CryptoSweetTooth Ransomware – Technical Analysis
CryptoSweetTooth ransomware is a cryptovirus, that is a variant of the open-source ransomware project HiddenTear, according to malware researchers. When the CryptoSweetTooth ransomware encrypts your files, it will append the extension .locked to them as an extension on each encrypted file.
CryptoSweetTooth ransomware might make entries in the Windows Registry to achieve perseverance. These registry entries are typically designed in a way that will start the virus automatically with each launch of the Windows Operating System.
The ransom note appears right after the encryption process is done – two files are created:
The note reveals what the demands of the cybercriminals are for decrypting your files. You can check out the ransom note from the screenshot found here:
That ransom note reads the following:
SUS ARCHIVOS PERSONALES HAN SIDO CIFRADOS POR Crypto-SweetTooth
Sus fotos, videos, documentos y base de datos han sido cifrados por un poderoso algoritmo utilizando una clave única generada por esta computadora.
¿Cómo recuperar los archivos?
Para recuperar sus archivos cifrados y recibir instrucciones de seguridad para que esto no le vuelva a ocurrir, usted deberá realizar un pago de 0.5BTC y enviarlos a la siguiente dirección: ILLEoST***
Una vez realizado el pago usted deberá enviar un correo electrónico a con la dirección bitcoin que usted uso para enviar los fondos. Una vez verificado y confirmado se le responderá con el programa y contraseña para desencriptar los archivos.
¿Cómo comprar Bitcoins?
Si usted se encuentra en Argentina podrá comprar Bitcoins en las siguientes empresas:
luego de haber realizado la compra desde cualquiera de las paginas mencionadas arriba, debera mandar los mismos a la direccion Bitcoin especificada al principio, marcada en color ROJO.
The developers of the CryptoSweetTooth virus have put their demands in the note given above. However, you should NOT follow those demands, nor contact the cyber criminals under any circumstances. If you proceed and pay them, no guarantee exists that you will recover your files. Furthermore, providing money to those crooks will just support them financially and is likely to inspire them to do more criminal activities.
For the moment, there is no list of file extensions that the CryptoSweetTooth ransomware searches to encrypt. The encryption algorithm which is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive the .locked extension appended to them. Some of the following extensions are possible to get encrypted:
→.doc, .docx, .pdf, .db, .jpg, .png, .ppt, .pptx, .txt, .xls, .xlsx, .mp3, .flv, .avi
The CryptoSweetTooth cryptovirus might delete the Shadow Volume Copies from the Windows operating system by using the following command in CommandPrompt:
→vssadmin.exe delete shadows /all /Quiet
Read on further and find out what methods you can try out to potentially restore some of your files.
Remove CryptoSweetTooth Ransomware and Restore .locked Files
If your computer got infected with the CryptoSweetTooth ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.