Cr1ptT0r ransomware (Decryption Steps Included) - updated Feb 2019

Cr1ptT0r virus Removal Guide

What is Cr1ptT0r ransomware?

Cr1ptT0r is the cryptovirus that affects files on the network storage and requires ransom to get files back

Cr1ptT0rCr1ptT0r is the ransomware virus that locks users' files and asks to pay for the alleged decryption.

Cr1ptT0r is not the typical ransomware that encrypts data. It does that by using the “curve25519xsalsa20poly1305” for asymmetric encryption. Additionally, the virus appends no extensions. Generally, it targets network attached storage (NAS) devices that are connected to the internet. Research showed that only D-Link DNS-320 equipment is affected, which is an outdated device and is no longer sold by the developer, although support is still provided. Unfortunately, DNS-320 is known to have multiple bugs that can be exploited by hackers, and the latest firmware update came out back in 2016. Cr1ptT0r ransomware virus is focusing on English-speaking users because the ransom note gets delivered in a _FILES_ENCRYPTED_README.txt file and contains more information about the attack.[1] The developers are asking 0.3 BTC for locked files and are requiring to contact them via the OpenBazaar website or via instant messaging apps. There is an option to purchase decryption for a single file which costs $19.99. In addition to the ransom note, an extra file _cr1ptt0r_support.txt gets delivered to your device which contains the address of the Tor site. This allows crooks to remotely execute shell commands, which can be used in case the victim does not know what to do next.

Name Cr1ptT0r ransomware
Type Cryptovirus

NAS devices (DNS-320)

Encryption algorithm curve25519xsalsa20poly1305
Additional files
  • _cr1ptt0r_support.txt
  • _cr1ptt0r_logs.txt
  • random.exe
Contacting possibility Instant messaging applications
Prefer cryptocurrency Bitcoin
Possible file marker _Cr1ptT0r_
Distribution Breaking through an unprotected RDP, using spam email attachments or exploit kits
Elimination Remove Cr1ptT0r ransomware virus damage using FortectIntego

Cr1ptT0r ransomware virus delivers a text file with additional information and addresses of Bitcoin wallets, instant messaging apps. The latter is the preferred communication method of these cybercriminals. However, we do not recommend contacting them because it may lead to permanent money or even data loss, as many research shows.[2]

Since Cr1ptT0r is the ransomware, developers are not focusing on recovering your data. The primary focus is to lock data and gain profit from victims. The Cr1ptt0r team delivers two text files named _cr1ptt0r_support.txt and _FILES_ENCRYPTED_README.txt that include addresses on the Tor network and links to OpenBazaar website.

The ransom note reads the following:

If you are then probably not encrypted!
The decryption keys are available for sale. Individual file decryption is also available. First decryption is possible.
The private key is used to encrypt. Without this key it is imposible to decrypt any file. The public key (user id) is stored.
A text file named “_cr1ptt0r_logs.txt”.
Fell free to contact us via these methods:
bitmessage: BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F
Kind regards from the Cr1ptT0r team.

These messages may differ from version to version of Cr1ptT0r. Another version:

If you are here, then probably all your files are encrypted!
Decryption keys are available for sale. Individual file decryption is also available. The first file is decoded for FREE to prove that decryption is possible.
The private key used to encrypt files is created on our secure server. Without this key it is impossible to decrypt any file.
The public key (user ID) is stored in each file so that you can match the device with the correct key pair.The only thing needed to restore all the files is any encrypted file sent to us via the instant messenger.
The list of encrypted files is stored on the device in a text file named “_cr1ptt0r_logs.txt”.
Contact us through OpenBazaar chat or one of the following ways:
the tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F
bitmessage: the BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
If there are any problems with the website OpenBazaar or desktop application, the payment is completed through a messenger.
Customer support is fast and we guarantee full data recovery after payment.
Best wishes from Cr1ptT0r team.

Initially, the virus is not marking encrypted files with any file appendix. However, some research by Michael Gillespie showed that an end-of-file marker _Cr1ptT0r_ is added to the encrypted data.[3] Furthermore, researchers analyzed provided samples and revealed that all ransom notes include the same Bitcoin link, victims' ID, URLs.

The _cr1ptt0r_support.txt file allows hackers to access the device remotely, although, according to the interview with hackers themselves, they said that they do not have any interest in personal information extortion are and are only care about the money. However, it does expose victims of Cr1ptT0r to potentially unlimited spying.

There is little to no possibility that your files would get decrypted by these criminals, so remove Cr1ptT0r ransomware and then use data recovery tools, software or features to restore those files. Initially, the recognition rate of malware was relatively low, but currently, it is detected by 28 AV engines under such names as:

  • HEUR:Trojan-Ransom.Linux.Cryptor.c
  • ELF:Filecoder-AC [Trj]
  • Linux.Exploit.DCPC
  • a variant of Linux/Filecoder.Q
  • LINUX/Encoder.yntew, etc.

Therefore, researchers[4] advise using reputable software that can detect and eliminate the threat. Additionally, users who use D-Link's DNS-320 should update to latest firmware, although no guarantees can be provided due to the buggy core of the device itself. Cr1ptT0r team said that developers would have to fundamentally rebuild it in order to make it flaw-free.

Because Cr1ptT0r seems to be infecting NAS devices on Linux, malware's primary target are small businesses that store data internally, which explains a quite hefty ransom demand. The virus authors told that the malware could be adapted to Windows operating systems as well, so the infection rate increase can be expected in the near future. In case that happens, we recommend users using FortectIntego for full Cr1ptT0r removal.

Cr1ptT0r ransomwareCr1ptT0r ransomware is the cryptovirus that modifies data on NAS using the AES and RSA encryption algorithms.

System vulnerabilities may lead to ransomware infections

There is no specific information about exploit kits or other flaws that get used to distribute the particular threat, but it is one of the more common methods employed to spread ransomware. Also, older software models or outdated firmware can be more vulnerable than those that have been recently updated.

Also, avoid clicking on spam emails with suspicious content or file attachments because malicious macros get added to documents, executables or ZIP archives and when the user downloads and opens the malicious attachment script gets triggered and launches a payload on the targeted device.

Eliminate Cr1ptT0r ransomware from the system using professional antivirus programs

You should focus on Cr1ptT0r ransomware removal and remember that this process requires help from reliable anti-malware tools. Do not try to perform elimination procedure yourself, as the malware is complicated and requires advanced computer knowledge.

Employ your trustworthy antivirus tools or programs to remove Cr1ptT0r from the system. Make sure to get those tools from the official sources to avoid additional infiltration or use software that we suggest in this article. Remember not to start the recovery procedure before all the malicious components are eliminated on the system.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Cr1ptT0r virus. Follow these steps

Manual removal using Safe Mode

Enter the Safe Mode with Networking before Cr1ptT0r ransomware removal:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Cr1ptT0r using System Restore

System Restore can help you with cryptovirus like Cr1ptT0r ransomware removal:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cr1ptT0r. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Cr1ptT0r removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cr1ptT0r from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Cr1ptT0r, you can use several methods to restore them:

Try Data Recovery Pro for encrypted files

When you remove Cr1ptT0r ransomware, employ data Recovery pro and restore encrypted files. You can use this program for accidentally deleted files too

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cr1ptT0r ransomware;
  • Restore them.

Decryption tool is not available for Cr1ptT0r ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cr1ptT0r and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions