Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove RSA4096 Ransomware and Restore .Crypt Encrypted Files

password-brute-force-stforumA new ransomware variant has been detected out into the open. It is very cleverly designed because it uses CryptoWall ransomware’s ransom note and it does not use any name to evade identification. Furthermore, the ransomware may use a strong RSA encryption cipher to encode the files of the affected user adding a .crypt extension to them. All users who have been affected by this crypto-malware are strongly advised to use the manual illustrated after the article to remove this malware from their computer effectively and then try to use the alternatives suggested below to restore their data.

NameRSA4096
TypeRansomware
Short DescriptionThe malware encrypts the user’s files appending the .crypt file extension.
SymptomsThe user may witness his files to become corrupted and a ransom message as a html file, txt document as well as a picture file..
Distribution MethodVia malicious URLs, Malicious e-mail attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by RSA4096
User Experience Join our forum to discuss RSA4096.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Crypt Ransomware – How Does It Infect

This particular crypto-malware uses several means to drop its malicious executable on the targeted computer. The two types of infection methods may be classified as follows:

  • Malicious URLs.
  • Malicious files.

The malware may be redistributed in various websites via a different type of spam. The spam may be via spam-bots that target websites, such as ghost referrals or web crawlers or spiders. However, you may also encounter malicious Microsoft Word, Excel, PDF files or URLs sent out as attachments in fake spam e-mails, such as the one in the picture below:

malicious-email-spam-links-sensorstechforum

.Crypt Ransomware In Detail

Once its malicious payload carrying file is activated on the user PC, the ransomware may situate malicious files in the following Windows folders:

commonly used file names and folders

Some of the malicious files that are reported by security researchers are the ones containing the ransom message, dropped in various locations:

  • de_crypt_readme.bmp
  • de_crypt_readme.html
  • de_crypt_readme.txt

The Trojan is also reported to tamper with the registry key which allows it to change your wallpaper to its ransom message. Symantec researchers have reported it to use the following data and values to modify the wallpaper:

  • HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0”
  • HKEY_CURRENT_USER\Control Panel\Desktop\”Wallpaper” = “[PATH TO ENCRYPTED FILES]\de_crypt_readme.bmp”

The encryption process of the ransomware involves the .crypt file extension which is put after the files have been encrypted and is the same as Chimera Ransomware. An encrypted file may look like the following example:

  • New Text Document.txt.crypt

The .crypt ransomware is believed to be a variant of the Cryptolocker family. Also, according to Symantec researchers, it encrypts files that have the following file extensions:

→ .aes .ARC .asc .asf .asm .asp .avi .bak .bat .bmp .brd .cgm .class .cmd .cpp .crt .csr .CSV .dbf .dch .dcu .dif .dip .djv .djvu .doc .DOC .docb .docm .docx .DOT .dotm .dotx .eml .fla .flv .frm .gif .gpg .hwp .ibd .jar .java .jpeg .jpg .key .lay .lay6 .ldf .max .mdb .mdf .mid .mkv .mml .mov .mp3 .mp4 .mpeg .mpg .ms11 .MYD .MYI .NEF .obj .odb .odg .odp .ods .odt .otg .otp .ots .ott .PAQ .pas .pdf .pem .php .png .pot0 .potm .potx .ppam .pps .ppsm .ppsx .PPT .pptm .pptx .psd .qcow2 .rar .raw .RTF .sch .sldx .slk .sql .SQLITE3 .SQLITEDB .stc .std .sti .stw .svg .swf .sxc .sxd .sxi .sxm .sxw .tar .tar.bz2 .tbk .tgz .tif .tiff .txt .uop .uot .vbs .vdi .vmdk .vmx .vob .wav .wks .wma .wmv .xlc .xlm .xls .XLS .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .zip

The ransom note displays the following demands by the cyber crooks which are almost identical to CryptoWall 3.0:

→ NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen?
!!! Specially for your PC was generated personal RSA4096 Key, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program, which is In our Secret Server
What do I do?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is not another way to get your files except make a payment
Your personal ID:{alpha-numerical identification number}
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
{personal-id-links}
If for some reasons the addresses are not available, follow these steps
1-Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2-Video Instruction: https://www.youtube.com/watch?vNQrUZdsw2hA
3-After a successful installation, run the browser.
4-Type in the address bar: {link to personal identification}

Remove RSA4096 Ransomware and Try To Revert Your Files

The removal process of this ransomware should be performed relatively the same way as if you are dealing with a Trojan. For maximum effectiveness, we recommend following the removal instructions below.

Regarding file decryption, you must be advised that for the moment, no direct decryption method is available, since the variant for this ransomware is relatively new. However, the good news is that in step “4. Restore files encrypted by RSA4096” we have suggested general methods for file decryption and restoration which you are open to trying out.

1. Boot Your PC In Safe Mode to isolate and remove RSA4096
2. Remove RSA4096 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by RSA4096 in the future
4. Restore files encrypted by RSA4096
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the RSA4096 threat: Manual removal of RSA4096 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • sol cutta

    My windows 8.1 laptop was infected today by this rsa4096 .crypt file extension.
    I was downloading a programme for abode video downloading software from google search engine (quite near the top of the search engine result list) when my wallpaper was changed to the ransom demand and also the usual (so I find as I read) other
    !recovery notes under network locations below my drives and devices.
    How mental has the internet become when you cant trust any seemingly reputable urls esp high up the list on google search, maybe im a bit net illiterate only having used the internet in the last 2 months for first time ever.
    The last two months ive been catching up with films from bitlord as my main reason for using the net and downloaded around 800gb of movies.
    Im not sure im going to be able to restore these files and my fiances personal pictures are also in a folder, hopefully she has not deleted her originals.
    I guess others are not so fortunate and have really valuable files to lose and my files may seem flippant being replaceable, redownloadable movies, however the time to redo them all is considerable,id rather hope I can find a way of restoring them.
    What luck that I find myself being fortunate to aquire a new variant (irony there of course!)
    Iam peeved to say the least as I put a lot of time and effort into my files and haven’t even seen most.
    Back in days of hdd recorders I was unfortunate to lose 80gb of tv films and series because of hardware failure and thought losing my files was a thing of the past, until I find myself welcomed to the criminal internet by these morons who exploit the untechnical minded.
    Iam unable to pay the ransom fee even if I wished to take a chance being out of work presently so I now will have to read thru mountains of confusing literature, try and find free software because I cant afford to pay subscriptions etc.
    Or just do a complete system restore?? I take it that would solve the infection issue however losing all my files at same time..
    RIGHT at this moment that feels the only route ill be able to take being limited to internet allocated time being a pay as u go customer and not sure if I can afford next months £25 rental..
    So, someone out there has given my night a good twist in the back just as I was settling down to relax with some old Alfred Hitchcock presents..
    Instead my early morning to mid afternoon,if not mid evening will be instead trying to discover how to sort this all out….and the moron who instigated this into my system wont be getting a penny from me,so my time wasted prob a lot more than his but I hope many people refuse to pay so these threats die a death, although its unlikely they will if the user/criminal doesn’t have to pay much to use them.
    Why aren’t the police actively doing more to safeguard us against these kinds of things? im sure some will comment and say, well you download movies..isn’t that much different but I have many hundreds of paid for dvds in my collection and the things I download are not available to buy in uk on dvd or I would happily own the originals…

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.