During the holidays, a Christmas version of the UltraDeCrypter ransomware was just released and started infecting users. What is specific about this ransomware is that not only it encrypts important videos, music, documents, pictures and other files of the infected computer, but it also offers a Christmas discount on the ransom that is to be paid by the victims whose computers the virus attacks. In case you have become a victim of this ransomware, we strongly urge you not to fall for it’s “Cryptsmas” trap and follow the instructions on this article to restore your files.
|Short Description||UltraDeCrypter is the latest version of the CryptXXX ransomware. It will encrypt your files and ask money for decrypting them by using your personal ID.|
|Symptoms||The ransomware encrypts files with a .cryp1, .crypt or other extensions. It creates a ransom note and gives links to specific Onion sites, based on the Tor browser. It asks for payment to supposedly provide access to UltraDeCrypter program.|
|Distribution Method||Email Attachments, Executable Files, Exploit Kits|
See If Your System Has Been Affected by UltraCrypter
Malware Removal Tool
|User Experience||Join Our Forum to Discuss UltraCrypter.|
UltraDeCrypter CryptXXX Virus – More Information
The .crypt, .cryp1 and other file extensions are used by this virus to encrypt the files on compromised computers. The malware has first come up using a .crypt file extension after encryption of the files and causing infection via malicious files spammed by e-mail. Later on, the virus came up with a 2.0 version that uses an unknown file extension and demanded $500 from it’s victims to pay. After a decryptor has been released for both versions, the ransomware came out in a 3.0 iteration which was decrypted by both Kaspersky and TrendMicro WhiteHats. The decryptors also worked for the latter version of the virus, renaming itself to Cryp1 ransomware. This virus, unlike the others used Angler Exploit Kit as well as Bedep Exploit Kit via malicious file attachments uploaded by e-mail. Here is a mixture of some of the ransom notes used by the viruses when the wallpapers of the victims were changed:
This damage is also done by this Christmas version of UltraDeCrypter ransomware which modifies the following registry entries:
Similar to the previous versions of the ransomware, this UltraDeCrypter iteration may also attack the following file extensions to render them no longer openable by the user:
→ 3dm, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx
After encryption the virus has also been reported to cause a deletion of the shadow volume copies on the affected computer, which are very important if you have set up backup on your Windows PC. This is achievable by performing the following command as administrator:
What is interesting is that this version of the virus asks for 0.5 BTC but it does it in a holiday spirit:
Fortunately for many, this version of UltraDeCrypter is now decryptable and it can be decrypted via either Kaspersky’s Rannoh decryptor or TrendMicro’s decryption tool. Whatever the case may be, we advise you to do this methodologically by following the instructions below for maximum effectiveness and safety.
Remove UltraCrypted and Decrypt Your Files
The first deed of the process is to remove this malware from your computer without harming Windows. You can manually delete the registry entries and malicious files if you have experience removing malware, but for maximum effectiveness researchers advise using an advanced anti-malware program to do it or following the removal manual below.
Manually delete UltraCrypter from your computer
Note! Substantial notification about the UltraCrypter threat: Manual removal of UltraCrypter requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove UltraCrypter by downloading an advanced anti-malware program
After you have deleted UltraDeCrypter Christmas Ransomware successfully you should follow these steps to restore your files:
Step 1: Download Kaspersky’s Rannoh decryptor by clicking on the button below:
Step 2: Extract the RannohDecryptor.exe file to your desktop or somewhere where you can easily locate it:
Step 3: Run the decryptor and click on the Start Scan button:
Step 4: Choose an encrypted file and an original file, preferably choose a file that is smaller in size so that the process is faster. If you cannot find an original file, make sure to look for default Windows photos on another computer, like the default wallpapers for example.
Step 5: The decryptor will begin looking for a key. After it finds one, it will decrypt your other files as well.
In case those instructions are not clear enough for you or you prefer to watch a demonstration, we advise you to check our decryption video for UltraDeCrypter/Cryp1/CryptXXX below:
UltraDeCrypter Ransomware Decryption Conclusion
The Cryp1 UltraDeCrypter virus is fortunately the type of malware that was very quickly cracked by White Hat hackers and decryptors were published so that users do not have to pay the ransom. So you could say it may be a failed project for the investments the cyber-crooks put in to spam it. However, there are many other ransomware viruses, like the Locky and Cerber ransomware variants that are not decryptable, so this is why we advise you to have good data management and read the following article to learn more about storing data safely: