Ransom:Win32/Criakl.C, as the name suggests, is a ransomware spread as a legitimate-looking application that can be downloaded online. Once installed, Ransom:Win32/Criakl.C will encrypt a number of files on the affected computer, and demand a ransom for their decryption.
According to Microsoft’s experts, Ransom:Win32/Criakl.C uses a file with the name winrar.exe, designed to make you think that you are dealing with a legitimate app, so you would download it.
Ransom:Win32/Criakl.C is capable of duplicating itself on the compromised machine and drops the following files:
- The ransom message that appears on the victim’s desktop – destop.bmp
- A file containing the ID number of the infection (mentioned in the ransomware note) – temp (a random three digit number).tmp
Ransom:Win32/Criakl.C will not encrypt all the files on the infected PC; the ransomware targets text files, documents, pictures, .zip files. When a file is corrupted by Ransom:Win32/Criakl.C, ‘.id’ extension is added to the file. This extension will also contain a thirty-six digit number, date, time (hours, minutes, and seconds), followed by a random seven digit number and an email address.
Once the files are encrypted, a ransom message in Russian language is displayed on the desktop of the victim.
→YOUR FILES HAVE BEEN ENCRYPTED!
Fantomas is angry, and he has encrypted all your files! Office files too.
But don’t worry, he will return them to you if you send him an email and offer him a certain amount of money.
Don’t forget to add the fanto-id that you will find at the end of the name of every encrypted file.
Fantomas does not like to leave traces, and that’s why if you don’t pay the fee within 48 hours, he will delete the decryption key, and it will be impossible to decrypt your files!
Experts recommend you do not pay the ransom because there is no guarantee that you will have your system unlocked, and your files decrypted as it is stated in the message.
Make sure to backup your files on a regular basis and perform your downloads from verified sources only.
How to Remove Ransom:Win32/Criakl.C and Restore the Encrypted Files
Stage One: Remove Ransom:Win32/Criakl.C
1. First and most important – download and install a legitimate and trustworthy anti-malware scanner, which will help you run a full system scan and eliminate all threats.
Spy Hunter FREE scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the malware tool. Find Out More About SpyHunter Anti-Malware Tool
2. Run a second scan to make sure that there are no malicious software programs running on your PC. For that purpose, it’s recommended to download ESET Online Scanner.
Your PC should be clean now.
Stage Two: Restore the Encrypted Files
Option 1: Best case scenario – You have backed up your data on a regular basis, and now you can use the most recent backup to restore your files.
Option 2: Try to decrypt your files with the help of Kaspersky’s RectorDecryptor.exe and RakhniDecryptor.exe. They might help you in the process but keep in mind that they were not specially designed to encrypt information that was decrypted by this particular ransomware.
Option 3: Shadow Volume Copies
1. Install the Shadow Explorer, which is available with Windows Vista, Windows 7, Windows 8 and Windows XP Service Pack 2.
2. From Shadow Explorer’s drop down menu choose a drive and the latest date you would like to restore information from.
3. Right-click on a random encrypted file or folder then select “Export”. Select a location to restore the content of the selected file or folder.
Remove Ransom:Win32/Criakl.C Automatically with Spy Hunter Malware – Removal Tool.
To clean your computer with the award-winning software Spy Hunter –
It is highly recommended to run a FREE scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.