During the holidays, a Christmas version of the UltraDeCrypter ransomware was just released and started infecting users. What is specific about this ransomware is that not only it encrypts important videos, music, documents, pictures and other files of the infected computer, but it also offers a Christmas discount on the ransom that is to be paid by the victims whose computers the virus attacks. In case you have become a victim of this ransomware, we strongly urge you not to fall for it’s “Cryptsmas” trap and follow the instructions on this article to restore your files.
|Short Description||UltraDeCrypter is the latest version of the CryptXXX ransomware. It will encrypt your files and ask money for decrypting them by using your personal ID.|
|Symptoms||The ransomware encrypts files with a .cryp1, .crypt or other extensions. It creates a ransom note and gives links to specific Onion sites, based on the Tor browser. It asks for payment to supposedly provide access to UltraDeCrypter program.|
|Distribution Method||Email Attachments, Executable Files, Exploit Kits|
|Detection Tool|| See If Your System Has Been Affected by UltraCrypter |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss UltraCrypter.|
UltraDeCrypter CryptXXX Virus – More Information
The .crypt, .cryp1 and other file extensions are used by this virus to encrypt the files on compromised computers. The malware has first come up using a .crypt file extension after encryption of the files and causing infection via malicious files spammed by e-mail. Later on, the virus came up with a 2.0 version that uses an unknown file extension and demanded $500 from it’s victims to pay. After a decryptor has been released for both versions, the ransomware came out in a 3.0 iteration which was decrypted by both Kaspersky and TrendMicro WhiteHats. The decryptors also worked for the latter version of the virus, renaming itself to Cryp1 ransomware. This virus, unlike the others used Angler Exploit Kit as well as Bedep Exploit Kit via malicious file attachments uploaded by e-mail. Here is a mixture of some of the ransom notes used by the viruses when the wallpapers of the victims were changed:
This damage is also done by this Christmas version of UltraDeCrypter ransomware which modifies the following registry entries:
Similar to the previous versions of the ransomware, this UltraDeCrypter iteration may also attack the following file extensions to render them no longer openable by the user:
→ 3dm, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .eml, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .qcow2, .rar, .raw, .RTF, .sch, .sldx, .slk, .sql, .SQLITE3, .SQLITEDB, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar, .bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xls, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx
After encryption the virus has also been reported to cause a deletion of the shadow volume copies on the affected computer, which are very important if you have set up backup on your Windows PC. This is achievable by performing the following command as administrator:
What is interesting is that this version of the virus asks for 0.5 BTC but it does it in a holiday spirit:
Fortunately for many, this version of UltraDeCrypter is now decryptable and it can be decrypted via either Kaspersky’s Rannoh decryptor or TrendMicro’s decryption tool. Whatever the case may be, we advise you to do this methodologically by following the instructions below for maximum effectiveness and safety.
Remove UltraCrypted and Decrypt Your Files
The first deed of the process is to remove this malware from your computer without harming Windows. You can manually delete the registry entries and malicious files if you have experience removing malware, but for maximum effectiveness researchers advise using an advanced anti-malware program to do it or following the removal manual below.