Severity scale:  

CryptoMix ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Cyber criminals continue developing new versions of CrytpoMix ransomware virus

CryptoMix ransomware, also known as CryptMix virus, is a file-encrypting virus[1] that has been spotted in spring 2016. Since then malware has been updated several times; however, some of its versions are decryptable, and victims do not need to bother about paying the ransom to crooks. Unfortunately, the recently discovered CryptoMix Wallet version is not decryptable yet, so it’s better to take precautions to avoid it. This crypto-malware stealthily infiltrates victims’ computers with the help of spam. Once it does that, it finds the predetermined files and encrypts them with a sophisticated RSA-2048 encryption algorithm. Originally, malware appends .email[]id[\[[a-z0-9]{16}\]].lesli or .lesli file extension to the targeted files; however, other variants might mark encrypted files with .CRYPTOSHIELD, .code, .revenge, .scl, .rscl, .rdmk, .rmd, .wallet, etc. extensions. When files are encrypted, ransomware drops a ransom note called “INSTRUCTION RESTORE FILES.TXT” where victims are asked to contact cyber criminals via a provided email address (xoomx[@] and xoomx[@] in order to obtain the special decryption key which is usually stored in some remote folder. To access it, the victim has to pay a considerable amount of money in the form of ransom. However, you need to take care of CryptoMix removal first because it can easily encrypt another batch of your files. Ransomware removal requires an installation of the powerful malware removal program, such as Reimage, and running a full system scan with it.

An image of CryptoMix virus

This crypto-malware is similar to CryptoWall 3.0, CryptoWall 4.0 and CryptXXX viruses. However, unlike these malicious programs, CryptoMix claims that the collected profit is used for a good cause – charity. The ransomware developers, calling themselves the Cham Team, have also been offering a “Free tech support” for those who decided to pay up. Putting all these strange promises aside, you should remember that you are dealing with real cyber criminals, so there is no need to follow their commands and support their dirty business. Even if you decide to pay the ransom in exchange for your files, you should take into account that may not receive the access to the decryption key that you need or the key itself may be corrupted.[2] Thus, we do not recommend following hackers’ orders provided in INSTRUCTION RESTORE FILE.TXT file. This ransom-demanding message shows up in each folder that contains encrypted data. CryptoMix virus is said to encrypt the astonishing amount of file types – 862. Thus, it’s impossible to overlook it.

Speaking more about the content of the ransom note, cyber criminals informs a victim about two different emails, xoomx[@] and xoomx[@], that should be used to contact the developers of Cryptomix ransomware and retrieve the affected files.[3] After emailing the hackers, the victim is then sent a link and a password to a One Time Secret service website which can be used for exchanging anonymous messages with hackers. At first, the hackers may try to convince the victim to pay for the sake of charity. Of course, we won’t find a person who is willing to pay the ransom of 1900 in USD in exchange for his or hers files. Besides, cyber criminals can start threatening you to double the ransom if it is not paid within 24 hours. The most interesting thing is that you can receive a discount after contacting these hackers[4]. In any case, we do not recommend going that far. You should remove CryptoMix virus as soon as you notice you cannot access your files. However, you should remember that the removal of this virus will not recover your files. For that, you need to use data decryption steps given at the end of this post. If you are not infected yet, make sure your data is in a safe place before the ransomware hits your computer.

Variants of CryptoMix ransomware

CryptoShield 1.0 ransomware virus. This newly detected virus rages in poorly protected and infected websites. Regular visitors of torrent and file-sharing domains risk falling under the target of this virus. By employing EITest attack chain, RIG exploit kit downloads all the necessary content for a complete CryptoShield hijack. After the infection preparations are completed, the threat initiates fake messages to fool users that these notifications are the result of regular Windows processes. However, it is not difficult to look through the scam since the notifications contain evident spelling mistakes. Interestingly, that the gearheads decided to combine AES-256 and ROT-13 encrypting techniques in locking users’ data. While the latter is awfully simple, the former still causes a headache for IT specialists. Unfortunately, the threat can delete shadow volume copies which burden data recovery for victims. In any case, it is not recommended to pay the ransom.

.code virus. Malware is distributed via spam emails which have a malicious email attachment. Once users open the attached file, malware payload enters the system and starts data encryption procedure. The virus uses RSA-2048 encryption algorithm and appends .code file extension. When all targeted files are crypted, the ransomware drops a ransom note named “help recover files.txt” where victims are asked to contact developers via or email addresses. However, doing that is not recommended because cyber criminals will ask to transfer up to 5 Bitcoins for the decryption key. Thus, it’s a huge sum of money, and you should not risk losing them. It’s better to remove .code virus first.

CryptoShield 2.0 ransomware virus. This version barely differs from earlier CryptoShield variant. After infiltration, it starts data encryption procedure using an RSA-2048 algorithm and appends .CRYPTOSHIELD extension to each of the targeted files. Then malware creates two new files on the desktop called # RESTORING FILES #.txt and # RESTORING FILES #.html. These files include instructions how to recover encoded data. In the ransom note, cyber criminals provide few email addresses (, or for those victims who are willing to pay the ransom. However, doing that is not recommended. If you got infected with this version of CryptoMix, remove the virus from the computer and use data backups or alternative recovery methods to restore your files.

Revenge ransomware virus. This file-encrypting virus is distributed as a trojan via RIG exploit kits. After the infiltration, it scans the system looking for the targeted files and encrypts them using an AES-256 algorithm. Just like its name suggests, malware appends .revenge file extension to each of the corrupted file and makes them impossible to open or use. However, cyber criminals provide instructions how to get back access to the encrypted files in the ransom not called # !!!HELP_FILE!!! #.txt. Here victims are asked to contact cyber criminals via provided email addresses:,,,,, and If people decide to do that (not recommended), they are asked to transfer particular amount of Bitcoins in order to obtain Revenge Decryptor. We want to point out that this shady deal might end up with money loss or other malware attacks. Besides, encrypted files might still be inaccessible.

Mole ransomware virus. This version of CryptoMix travels via misleading emails that inform about USPS delivery issues. Once people click on a link or attachment provided in the email, they install Mole executable on the system. On the affected computer, malware immediately starts encryption procedure and locks files using an RSA-1024 encryption key. In order to make the attack even more damaging, the malware also deletes Shadow Volume Copies. Thus data recovery without specific decryption software is nearly impossible if victims do not have backups. Following data encryption, Mole ransomware drops a ransom note “INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT” where victims are told to contact cyber criminals within 78 hours. Victims are supposed to send their unique ID number either to or email address. However, Doing that is not recommended because people will be asked to transfer a huge sum of money and obtain a questionable decryption software. After ransomware attack, victims should focus on malware removal first.

CryptoMix Wallet ransomware virus. The latest variant of the ransomware uses AES encryption and appends .wallet file extension to the targeted files which resemble Wallet ransomware virus. However, the malware also renames files. The name of the encrypted file includes the email address of the cyber criminals, victim’s ID number, and a file extension: .[].ID[16 unique characters].WALLET. Once all files are encrypted, victims receive a fake explorer.exe Application Error message which is supposed to trick victims into pressing OK button. Clicking OK triggers User Account Control prompt window. This alters won’t go away as long as users click “Yes” option. Since then malware starts deletion of Shadow Volume Copies. Lastly, malware leaves a ransom note “#_RESTORING_FILES_#.txt” where victims are asked to send their unique ID number to one of these email addresses:,, and Then, cyber criminals will provide the cost of decryption software. However, trusting them is not recommended. Nevertheless, ransomware is still undecryptable; we do not recommend risking to lose the money or getting infected with other malware. After the attack, employ professional security software and remove it from the device.

Ransomware distribution and infiltration strategies

There is no one set technique used by the CryptMix virus to enter your computer. You may get infected with this ransomware by clicking on suspicious notification or download buttons, or you can obtain it via P2P (peer-to-peer) networks. However, most commonly it is downloaded to the system as an important email attachment, such as an invoice, business report or similar document. Some versions of malware are known for being distributed as fake package delivery notifications. Thus, you need to be careful with emails and always double-check the information before opening any attached files, links or buttons. Therefore, it is important not only to obtain a powerful antivirus system and hope for the best but to put your effort to prevent CryptoMix on your computer.[5] Various versions of malware use exploit kits and Trojans to infiltrate the system. To protect yourself or your business, make sure you analyze all emails that you receive from unknown senders, dedicate some time for extra research when dealing with the newly downloaded software and check the reliability of the sites you decide to visit to prevent infiltration of CryptMix ransomware. Taking time to install newly discovered software is also an important factor which may help you avoid infiltration of Trojan horses used to carry this virus.

Instructions for CryptoMix removal

It is not only possible but simply a must to remove CryptoMix from the infected device. Otherwise, your future files as well may be in danger. We have to warn you that uninstalling ransomware viruses may sometimes be rather problematic. These malicious programs may try to block your antivirus from scanning the system. In such case, you may have to manage the virus manually for your virus-fighting utility to be able to start. You will find the manual CryptoMix removal instructions, prepared by our team of experts at the end of this article. Also, do not hesitate to send us a message if you are encountering troubles related to the elimination of this virus.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CryptoMix ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CryptoMix ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing CryptoMix ransomware virus (2017-05-02)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing CryptoMix ransomware virus (2017-05-02)
Hitman Pro
We have tested Hitman Pro's efficiency in removing CryptoMix ransomware virus (2017-05-02)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing CryptoMix ransomware virus (2017-05-02)

Manual CryptoMix virus Removal Guide:

Remove CryptoMix using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Sometimes ransomware viruses block legitimate security software to protect themselves from being removed. In this case, you can try rebooting your computer to Safe Mode with Networking.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CryptoMix

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CryptoMix removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CryptoMix using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

If Safe Mode with Networking didn’t help you disable ransomware, try System Restore. However, you need to scan your computer for two times to make sure that you removed ransomware from the system.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CryptoMix. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CryptoMix removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CryptoMix from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by CryptoMix, you can use several methods to restore them:

Recovering files encrypted by CryptoMix with the help of Data Recovery Pro

Data Recovery Pro is a widely-known tool that can be used for recovering accidentally deleted files and similar data. To use it to recover files after infiltration of ransomware, follow these steps:

Use Windows Previous Versions feature to get your files after infiltration of CryptoMix ransomware

Windows Previous Versions method is effective only if System Restore function was enabled on your computer before infiltration of this ransomware. Note that it can help you recover only individual files on your computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use CryptoMix decryptor by AVAST Software to recover your files

You can use this tool to recover your encrypted files. However, keep in mind that it can be used to recover only those files that were files encrypted using an “offline key”. If your version of CryptoMix used a unique key from a remote server, this decrypter will not help you.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CryptoMix and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.


Removal guides in other languages

  • FreanDer

    I cant IMAGINE losing my files. Thats why I keep my system protected with SpyHunter 😉

  • Panter Tyrell

    Phew! Managed to remove this virus just in time! It didnt lock much of the files yet

  • shulemsc

    we were infected and they asked for 10 bitcoins, after some negotiations the price was lowered to 6 bitcoins. they provided 1 decrypted file to prove concept. we paid 6 bitcoins and they asked for another .6 as the c&c server will not provide the key due to late payment. after promptly paying another .6 bitcoins (about $4800 in total) there has been no communication from them! its been 2 weeks and nothing.