The CryptXXX 3.0 ransomware virus is back with a new variant. Files are encrypted with a .crypz extension. This time, the ransomware is more ruthless than before. Not only does it spread more aggressively through exploit kits but the newest variant may come with an infostealer called StillerX.
When encryption is finished, the ransomware will give you a personal ID, which you are supposed to use to pay for decryption. To see how to remove this ransomware virus and what you could do to recover your files, you should read the whole article.
|Short Description||The latest variant of the CryptXXX ransomware. Encrypts your files (including ones found on network drives) and asks money for decryption giving you a personal ID for the purpose.|
|Symptoms||The ransomware encrypts files with a .crypz extension. Creates a ransom note and gives links to specific sites, based on the Tor browser. It asks for payment to supposedly give access to a decrypter.|
|Distribution Method||Email Attachments, Executable Files, Exploit Kits|
|Detection Tool|| See If Your System Has Been Affected by Crypz Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Crypz Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Crypz Ransomware – How Did I Get Infected?
Crypz ransomware can infect you through more than one way. Exploit kits remain the main cause of the infection being spread so rapidly. The exploit kits that are mainly used are Angler EK and Bedep EK. Other exploits might be involved as well, including the EITest malware campaign, which redirects to Angler, from compromised sites and hijacked sub-domains.
Spam emails continue to be a common factor in the spread of the Crypz ransomware. The emails have attached files which contain an executable file with malicious code. The malware code could be the actual ransomware, or other malware delivering files for the real threat to a compromised device.
Another well-known way for spreading the Crypz infection is via social media and file-share networks. DropBox was used in the past for spreading previous variants of the virus, disguised as something else like a useful app. You should be very wary of what you are downloading, opening or clicking, especially from a source with unknown origin. Steer away from suspicious links and files is the best tip to follow in such a situation.
Crypz Ransomware – Technical Information
The CryptXXX ransomware is back with a bang. The name UltraCrypter doesn’t seem to be in play anymore. This time, it can infect network drives, comes with an infostealer which can extract account credentials and passwords from a victim’s computer. For more information about these new capabilities of the ransomware, read the article on CryptXXX Version 3.100
The newest variant of the ransomware is dubbed Crypz and asks for money to be paid as ransom. If left unpaid the price rises. Files have a .crypz and that’s from where the name comes from. Once infected a registry key is created associated with the virus:
A .html file is created when encryption is completed and the name of the file may be random. The file opens a browser to show the .html code. This is done for one reason – to make the links given inside clickable. This file spreads copies of itself around numerous locations which have encrypted files. The same file with the text inside is made into a .bmp picture as well. The picture is set as a desktop background after the encryption process.
You can have a look at the .bmp file down here:
The file contains various hyperlinks and a changed version of the sites for decryption. The sites might redirect you to other pages for payment which indicates that cyber criminals have multiple domains created for the task. The file shown above reads:
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal ID:
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
If for some reasons the addresses are not available, follow these steps:
1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – After a successful installation, run the browser
3 – Type in the address bar http://
4 – Follow the instructions on the site
Be sure to copy your personal ID and the instructions link to your notepad not to lose them.
If you follow any of the provided web links which are displayed, you will see the following page load:
Entering your personal ID number will get you inside the system of the decryption service. Inside, you will find full payment instructions as past variants:
Your files are encrypted
If you do not pay for decrypting until [Date], the decryption cost will increase 2 and will be 1008 USD
We present you a special software that will allow you to decrypt your files.
How to buy the Decryption Tool?
1. You can pay using Bitcoin, getting them by the way most convenient for you.
2. You need to create a Bitcoin-wallet (e-wallet or other method).
3. Buy Bitcoin on one of the trading platforms.
4. Send 1.2 BTC to Bitcoin address.
5. Enter the ID of your Bitcoin-transaction.
6. Please check payment information you mentioned and click on “PAY” (Attention! Do not provide incorrect information! Otherwise, the payment amount will be increased by several times, or your account will be blocked!)
The price initially asked is 1.2 BitCoins, which equals a sum of about 500 US dollars. You will have up to five days or to a week to pay. If you don’t make a payment, the price increases, but there is no threat that your files are going to be erased or lost.
Do NOT pay the notorious cyber criminals. They show no signs of stopping and paying them will only get them what they want. The more money they collect, the bigger stimulus they have to make their ransomware stronger. Users have reported to us that they have paid the ransom and received non-working keys.
Researchers from Kaspersky and TrendMicro have developed free decrypt tools for previous variants of the ransomware, and we expect that they will update their tools. If not, hopefully, other researchers rise and make a new such tool.
The Crypz ransomware encrypts files with the extensions encrypted by CryptXXX 3.0:
→.3dm, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx
The extension list may have new additions with the new variant, but the previous extensions are surely still being encrypted. After the encryption process is done, all files found on your PC and network will get a second extension added as their appendix – .crypz.
Crypz ransomware deletes Shadow Volume Copies from Shadow Explorer in the Windows Operating System same as previous variants of the ransomware do.
Malware researchers came up with free decrypt tools for previous variants of the ransomware – you can read more about it in the Cryp1 (UltraCrypter) article. Continue reading further, to see what you can try doing about the file decryption while we wait for a fully working decrypt software.
Remove Crypz Ransomware and Restore .Crypz Files
If your computer got infected with Crypz, you should have some experience in removing viruses. You should get rid of Crypz ransomware as soon as possible because it will keep encrypting files. What’s worse, if not dealt with, the ransomware virus will infect others over your network. The recommended thing to do is to remove the virus and follow the step-by-step instructions guide provided here.