UltraDeCrypter Virus – Decrypt Files for Free - How to, Technology and PC Security Forum | SensorsTechForum.com

UltraDeCrypter Virus – Decrypt Files for Free

This material aims to help you remove UltraDeCrypter(Cryp1 or CryptXXX) Ransomware and decrypt encrypted files using the free decryptors.

During the holidays, a Christmas version of the UltraDeCrypter ransomware was just released and started infecting users. What is specific about this ransomware is that not only it encrypts important videos, music, documents, pictures and other files of the infected computer, but it also offers a Christmas discount on the ransom that is to be paid by the victims whose computers the virus attacks. In case you have become a victim of this ransomware, we strongly urge you not to fall for it’s “Cryptsmas” trap and follow the instructions on this article to restore your files.

Threat Summary

Short DescriptionUltraDeCrypter is the latest version of the CryptXXX ransomware. It will encrypt your files and ask money for decrypting them by using your personal ID.
SymptomsThe ransomware encrypts files with a .cryp1, .crypt or other extensions. It creates a ransom note and gives links to specific Onion sites, based on the Tor browser. It asks for payment to supposedly provide access to UltraDeCrypter program.
Distribution MethodEmail Attachments, Executable Files, Exploit Kits
Detection Tool See If Your System Has Been Affected by UltraCrypter


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss UltraCrypter.

UltraDeCrypter CryptXXX Virus – More Information

The .crypt, .cryp1 and other file extensions are used by this virus to encrypt the files on compromised computers. The malware has first come up using a .crypt file extension after encryption of the files and causing infection via malicious files spammed by e-mail. Later on, the virus came up with a 2.0 version that uses an unknown file extension and demanded $500 from it’s victims to pay. After a decryptor has been released for both versions, the ransomware came out in a 3.0 iteration which was decrypted by both Kaspersky and TrendMicro WhiteHats. The decryptors also worked for the latter version of the virus, renaming itself to Cryp1 ransomware. This virus, unlike the others used Angler Exploit Kit as well as Bedep Exploit Kit via malicious file attachments uploaded by e-mail. Here is a mixture of some of the ransom notes used by the viruses when the wallpapers of the victims were changed:

This damage is also done by this Christmas version of UltraDeCrypter ransomware which modifies the following registry entries:

→ HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

Similar to the previous versions of the ransomware, this UltraDeCrypter iteration may also attack the following file extensions to render them no longer openable by the user:

→ 3dm, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx

After encryption the virus has also been reported to cause a deletion of the shadow volume copies on the affected computer, which are very important if you have set up backup on your Windows PC. This is achievable by performing the following command as administrator:

What is interesting is that this version of the virus asks for 0.5 BTC but it does it in a holiday spirit:

Source: Forcepoint

Fortunately for many, this version of UltraDeCrypter is now decryptable and it can be decrypted via either Kaspersky’s Rannoh decryptor or TrendMicro’s decryption tool. Whatever the case may be, we advise you to do this methodologically by following the instructions below for maximum effectiveness and safety.

Remove UltraCrypted and Decrypt Your Files

The first deed of the process is to remove this malware from your computer without harming Windows. You can manually delete the registry entries and malicious files if you have experience removing malware, but for maximum effectiveness researchers advise using an advanced anti-malware program to do it or following the removal manual below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share