Remove CryptXXX Ransomware and Restore .crypt Encrypted Files

Remove CryptXXX Ransomware and Restore .crypt Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
New Update! October 2019 Update! Malware researchers from Kaspersky have updated their Rannoh Decryptor utility with decryption for the CryptXXX 3.0 ransomware family. Files should be fully decrypted with the help of that software. You can find its download page and instructions at: Kaspersky’s Rannoh Decryptor page.


Proofpoint researchers have discovered a ransomware dubbed CryptXXX. The ransomware is believed to be created by the same group of people who made the Reveton ransomware in the past. The Angler Exploit Kit and Bedep are used to distribute the ransomware.

Update! Kaspersky has officially announced that they have decrypted CryptXXX. They have found out a short delay that the ransomware makes to external storage encryption. It is done to confuse people who got the ransomware and to make it harder to detect the websites spreading the infection. CryptXXX uses the highest RSA 4096 bit encrypting algorithm, but Kaspersky has managed to crack it and put it into their Rannoh Decryptor.

Threat Summary

Short DescriptionThe ransomware encrypts your files with .crypt extension and asks a ransom of $500 for decryption.
SymptomsYour files on all storage drives get encrypted. Files containing messages with instructions are created.
Distribution MethodSpam Emails, Exploit Kits
Detection Tool See If Your System Has Been Affected by CryptXXX


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptXXX.

Crypt XXX Ransomware – Update October 2019

In October 2019, the Crypt XXX ransomware has been reported to still be active and infecting new machines. Malware researchers are baffled because they have not found malware campaigns for the spread of the ransomware. Adult websites and adult content on online forums plus pop-ups might be the cause for the payload of Crypt XXX to drop, but that has not been confirmed. The Crypt XXX ransomware might still be able to infect computer systems, but fortunately there is a decryption tool available which still works.

CryptXXX Ransomware – Distribution

CryptXXX ransomware can be distributed in a few ways. One of those ways is via spam e-mails which have a malicious file as an attachment. If you open this attachment, it can insert the malware inside your machine. It is not excluded for social networks and file sharing services to serve as a distribution medium as well.

The CryptXXX ransomware is currently distributing with the help of the Bedep Trojan that gets inside your PC, through the Angler Exploit Kit. Just visiting websites or clicking on suspicious links can also get Angler EK or Bedep to inject this malware in your computer system.

CryptXXX Ransomware – Detailed Look

The CryptXXX malware is a new ransomware. It will encrypt all of your files found across all connected devices and storage drives. USBs, hard disks, SSDs and all partitions on drives from A to Z will have all files found on them encrypted. It asks a certain amount of money to be paid for ransom.

Proofpoint researchers believe the ransomware to be from the creators of the Reveton ransomware.

Both ransomware infections share lots of common factors, such as the Delphi programming language, custom Command and Control protocol on TCP port 443, a delayed start, especially if the malware is on a virtual machine. Other things that are common are: a .DLL named with a custom function on entry, the %AllUsersProfile% directory containing a .dat file and last, but not least Credentials- and BitCoin-thieving capabilities.

Entries in the following registry directories might be created:




Those entries might be created with the aim for the ransomware to load with each and every restart of the Operating System.

The Windows Registry might also be modified for a .DLL file related to the ranomware to run. The following registry entry could be made:


According to the researchers at Proofpoint the Bedep Trojan can create separate infections for the ransomware:

  • C:\Users\%Username%\AppData\Local\Temp\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll
  • C:\Users\%Username%\AppData\Local\Temp\{D075E5D0-4442-4108-850E-3AD2874B270C} \api-ms-win-system-provsvc-l1-1-0.dll
  • C:\Users\%Username%\AppData\Local\Temp\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll
  • C:\Users\%Username%\AppData\Local\Temp\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll

After that CryptXXX will lock all of your files, no matter what extensions they are bearing. The ransomware searches to encrypt files with more than 100 extensions, some of which are the following:

→ .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip

The newly appended file extension of each file is .crypt.

In addition to that, the ransomware will also try to steal BitCoins from infected users, as well as passwords and other important credentials.


Above and below you can see picture examples of instructions on how to pay the ransom look like. Those are the files that load them:

  • de_crypt_readme.bmp
  • de_crypt_readme.txt
  • de_crypt_readme.html


Images source:

You are asked to pay around 1.2 Bitcoins or 500 US dollars within a five-day time frame. If you do not pay, the amount which is asked as payment will increase.

Reaching out to the ransomware creators and trying to pay the ransom is strongly NOT advised. No one can give a guarantee that your files will get restored. Paying the ransom money may not only be thought as a way of helping cyber criminals but also might motivate them to make another variant of the malware.

With the help of Frank Ruiz, Proofpoint researchers have arrived at the conclusion that the ransomware is very tightly connected to the Angler EK and Dridex Botnet.

That can only mean that the spread and attack of this ransomware could be on a massive scale. If you see a strange activity on your computer, shut it down – you might stop a raging ransomware from encrypting all of your data. In this forum topic you can find some useful tips about ransomware.

Remove CryptXXX Ransomware and Restore .crypt Encrypted Files

If CryptXXX ransomware infected your computer, you should be swift in removing it as it will try to lock files found on every storage device connected to your PC. If you are infected with this ransomware, you should have at least a little experience in removing malware. See the instructions written below to see how you can try to restore your files.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts


  1. Gergana IvanovaGergana Ivanova

    After the removal process .crypt files can be restored with RannohDecryptor. This video guide can help you with the decryption process:

  2. AvatarJosué David

    Hi Gergana

    I have a problem with the new variant, all my documents are encrypted with *.cript.
    I probe all kaspersky tolls, but none works with this variant.
    Please help me to recover my files.

    1. Gergana IvanovaGergana Ivanova

      Hi, Josué!

      Since there is version CryptXXX 3.0, .crypt files could not be restored by RannohDecryptor. The crooks are determined to outsmart the “white hats” so this ransomware evolved in three versions. The result of this game of outwitting is that even the cybercriminals can’t provide working decryptor for this malware.

      I advise you not to reformat your drive until you try everything to get your files back.

      You can try to restore some of your files utilizing:

      – Shadow Explorer – you can find a download link above in this article. Choose “Step 3” from the automatic removal guide.

      – Data recovery software

      – Network Sniffer – if you haven’t deleted the ransomware, see what you can do using Network Sniffer:

      And hopefully, an active decryption tool will be available soon.

      Write us if you have success and also if you need further help.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share