Remove CryptXXX 2.0 Ransomware and Restore Access to Your Encrypted PC - How to, Technology and PC Security Forum |

Remove CryptXXX 2.0 Ransomware and Restore Access to Your Encrypted PC

ransomware-sensorstechThe CryptXXX malware writers have designed a new version which has been reported to contain several drastic improvements in encrypting the files of unsuspecting victims. The ransomware encrypts users’ files after which locks the screen with the ransom message. This is particularly dangerous because users are not able to access their computer to even see what happened to their files. Similar to the previous version, CryptXXX 2.0 (2.006 to be correct) uses a strong encryption cipher to render the files corrupt after which ads a unique identification on the ransom note files. Users who have been infected with the latest version of CryptXXX should be advised that at this point there is no relevant method for decryption of the files encrypted by this version of CryptXXX.

Threat Summary

NameCryptXXX 2.0
Short DescriptionThe ransomware may encrypt files with RSA-4096 cipher and asks a ransom for decryption by locking the screen and adding a picture, a text and an HTML file.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom asks the user to install Tor browser and pay in BitCoin.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by CryptXXX 2.0


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptXXX 2.0 Ransomware – How Did I Get It

To successfully infect this computer, the malware is believed to spread via malicious URLs and exploit kits. One of its primary spread methods is believed to be Angler Exploit Kit which has proven its effectiveness over time. Such exploit kits may be spread via:

  • HTML files included in archives or opened automatically by other software.
  • Redirects to malicious URLs.
  • As a result of clicking on a malvertising banner.
  • Via spam e-mail messages.

Whatever the distribution method may be, the exploit kit may generate a “hole” in the security and open an unsecured port through which the computer may be infected.

CryptXXX 2.0 Ransomware In Detail

Researchers at Proofpoint( security who have discovered this threat have reported that the authors of Reveton Police Ransomware have went back to their roots. This is because, just like the already outdated Reventon, CryptXXX ransomware locks the screen of the infected PC, preventing the user access to his device:


Also, there is a change in the executables it may create on the infected computers. The ransomware uses names that resemble legitimate Windows processes, creating the files in key Windows folders:

→ In %Temp%:
In %System32%:

Not only this but unlike the previous version of CryptXXX, this ransomware also makes the encrypted files to be significantly bigger in size and changing them to such extent that even the previously working Kaspersky Rannoh Decrypter cannot decrypt them. The decrypter requires one original file to establish the encryption pattern, however with the 2.006 version the decryptor provides the following error message:

  • “Encrypted file size does not equal to the original”

Furthermore, another improvement in this ransomware besides the ones above is that instead of the older “de_crypt_readme” .bmp, .txt and .html ransom notes and payment sites it uses changed ones whose names are a unique identification for the infected user PC, which is a random alpha numerical number, for example:


Similar to the older version, the ransomware still looks for a wide variety of file types to encrypt:

→ .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip Source:Symantec

Not only this, but CryptXXX ransomware also has renamed the decryption page, naming its decrypter which can be downloaded after paying the ransom “Google Decrypter” instead of the previously named “CryptoWall Decrypter”.

Remove CryptXXX 2.0 Ransomware and Restore .Crypt Encrypted Files

To remove the CryptXXX 2.0 threat, be advised that ordinary removal methods will not work because this cyber-threat uses several different techniques to prevent access. This is why we advise giving the removal instructions after this article a try. They may effectively provide you with methods to remove the lockscreen by cleaning your registry entries and removing its files. If those instructions fail to work, we advise using an advanced anti-malware software which will deal with the threat automatically.

Furthermore, if you want to decrypt your files, be advised that unlike the first version of CryptXXX, there is no effective decryption method released for the latest variant. This is why we have provided you with some alternative methods and tools to help you restore files encoded by this ransomware. Be advised that if a decryption has been found we will post an update on our blog or our security forum, so we also recommend following them as well.

Manually delete CryptXXX 2.0 from your computer

Note! Substantial notification about the CryptXXX 2.0 threat: Manual removal of CryptXXX 2.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptXXX 2.0 files and objects
2.Find malicious files created by CryptXXX 2.0 on your PC
3.Fix registry entries created by CryptXXX 2.0 on your PC

Automatically remove CryptXXX 2.0 by downloading an advanced anti-malware program

1. Remove CryptXXX 2.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptXXX 2.0 in the future
3. Restore files encrypted by CryptXXX 2.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website


  1. amin

    A few days ago all my files .crypt struck by ransomware and all media files are locked photos and text
    And open not
    I am very sorry for myself.
    Please help me
    Of course, with the help of RannohDecryptor
    A small amount of files returned
    But still busy
    Thank you

    1. Vencislav Krustev (Post author)

      Hello amin,

      I feel sorry for you. Keep trying with RannohDecryptor. Otherwise, we strongly recommend that you also select files that are smaller in size, like pictures and others first.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share