UltraDeCrypter Virus – Decrypt Files for Free - How to, Technology and PC Security Forum | SensorsTechForum.com

UltraDeCrypter Virus – Decrypt Files for Free

This material aims to help you remove UltraDeCrypter(Cryp1 or CryptXXX) Ransomware and decrypt encrypted files using the free decryptors.

During the holidays, a Christmas version of the UltraDeCrypter ransomware was just released and started infecting users. What is specific about this ransomware is that not only it encrypts important videos, music, documents, pictures and other files of the infected computer, but it also offers a Christmas discount on the ransom that is to be paid by the victims whose computers the virus attacks. In case you have become a victim of this ransomware, we strongly urge you not to fall for it’s “Cryptsmas” trap and follow the instructions on this article to restore your files.

Threat Summary

Short DescriptionUltraDeCrypter is the latest version of the CryptXXX ransomware. It will encrypt your files and ask money for decrypting them by using your personal ID.
SymptomsThe ransomware encrypts files with a .cryp1, .crypt or other extensions. It creates a ransom note and gives links to specific Onion sites, based on the Tor browser. It asks for payment to supposedly provide access to UltraDeCrypter program.
Distribution MethodEmail Attachments, Executable Files, Exploit Kits
Detection Tool See If Your System Has Been Affected by UltraCrypter


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss UltraCrypter.

UltraDeCrypter CryptXXX Virus – More Information

The .crypt, .cryp1 and other file extensions are used by this virus to encrypt the files on compromised computers. The malware has first come up using a .crypt file extension after encryption of the files and causing infection via malicious files spammed by e-mail. Later on, the virus came up with a 2.0 version that uses an unknown file extension and demanded $500 from it’s victims to pay. After a decryptor has been released for both versions, the ransomware came out in a 3.0 iteration which was decrypted by both Kaspersky and TrendMicro WhiteHats. The decryptors also worked for the latter version of the virus, renaming itself to Cryp1 ransomware. This virus, unlike the others used Angler Exploit Kit as well as Bedep Exploit Kit via malicious file attachments uploaded by e-mail. Here is a mixture of some of the ransom notes used by the viruses when the wallpapers of the victims were changed:

This damage is also done by this Christmas version of UltraDeCrypter ransomware which modifies the following registry entries:

→ HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

Similar to the previous versions of the ransomware, this UltraDeCrypter iteration may also attack the following file extensions to render them no longer openable by the user:

→ 3dm, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx

After encryption the virus has also been reported to cause a deletion of the shadow volume copies on the affected computer, which are very important if you have set up backup on your Windows PC. This is achievable by performing the following command as administrator:

What is interesting is that this version of the virus asks for 0.5 BTC but it does it in a holiday spirit:

Source: Forcepoint

Fortunately for many, this version of UltraDeCrypter is now decryptable and it can be decrypted via either Kaspersky’s Rannoh decryptor or TrendMicro’s decryption tool. Whatever the case may be, we advise you to do this methodologically by following the instructions below for maximum effectiveness and safety.

Remove UltraCrypted and Decrypt Your Files

The first deed of the process is to remove this malware from your computer without harming Windows. You can manually delete the registry entries and malicious files if you have experience removing malware, but for maximum effectiveness researchers advise using an advanced anti-malware program to do it or following the removal manual below.

Manually delete UltraCrypter from your computer

Note! Substantial notification about the UltraCrypter threat: Manual removal of UltraCrypter requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove UltraCrypter files and objects
2. Find malicious files created by UltraCrypter on your PC
3. Fix registry entries created by UltraCrypter on your PC

Automatically remove UltraCrypter by downloading an advanced anti-malware program

1. Remove UltraCrypter with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by UltraCrypter in the future

After you have deleted UltraDeCrypter Christmas Ransomware successfully you should follow these steps to restore your files:

Step 1: Download Kaspersky’s Rannoh decryptor by clicking on the button below:

Step 2: Extract the RannohDecryptor.exe file to your desktop or somewhere where you can easily locate it:


Step 3: Run the decryptor and click on the Start Scan button:


Step 4: Choose an encrypted file and an original file, preferably choose a file that is smaller in size so that the process is faster. If you cannot find an original file, make sure to look for default Windows photos on another computer, like the default wallpapers for example.



Step 5: The decryptor will begin looking for a key. After it finds one, it will decrypt your other files as well.

In case those instructions are not clear enough for you or you prefer to watch a demonstration, we advise you to check our decryption video for UltraDeCrypter/Cryp1/CryptXXX below:

UltraDeCrypter Ransomware Decryption Conclusion

The Cryp1 UltraDeCrypter virus is fortunately the type of malware that was very quickly cracked by White Hat hackers and decryptors were published so that users do not have to pay the ransom. So you could say it may be a failed project for the investments the cyber-crooks put in to spam it. However, there are many other ransomware viruses, like the Locky and Cerber ransomware variants that are not decryptable, so this is why we advise you to have good data management and read the following article to learn more about storing data safely:

Safely Store Your Files and Protect Them From Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.