Severity scale:  
  (93/100)

Cr1ptT0r ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Cr1ptT0r is the cryptovirus that affects files on the network storage and requires ransom to get files back

  Cr1ptT0r
Cr1ptT0r is the ransomware virus that locks users' files and asks to pay for the alleged decryption.

Cr1ptT0r is not the typical ransomware that encrypts data. It does that by using the “curve25519xsalsa20poly1305” for asymmetric encryption. Additionally, the virus appends no extensions. Generally, it targets network attached storage (NAS) devices that are connected to the internet. Research showed that only D-Link DNS-320 equipment is affected, which is an outdated device and is no longer sold by the developer, although support is still provided. Unfortunately, DNS-320 is known to have multiple bugs that can be exploited by hackers, and the latest firmware update came out back in 2016. Cr1ptT0r ransomware virus is focusing on English-speaking users because the ransom note gets delivered in a _FILES_ENCRYPTED_README.txt file and contains more information about the attack.[1] The developers are asking 0.3 BTC for locked files and are requiring to contact them via the OpenBazaar website or via instant messaging apps. There is an option to purchase decryption for a single file which costs $19.99.  In addition to the ransom note, an extra file _cr1ptt0r_support.txt gets delivered to your device which contains the address of the Tor site. This allows crooks to remotely execute shell commands, which can be used in case the victim does not know what to do next.

Name Cr1ptT0r ransomware
Type Cryptovirus
Targets

NAS devices (DNS-320)

Ransom note _FILES_ENCRYPTED_README.txt
Encryption algorithm curve25519xsalsa20poly1305
Additional files
  • _cr1ptt0r_support.txt 
  • _cr1ptt0r_logs.txt 
  • random.exe
Contacting possibility Instant messaging applications
Prefer cryptocurrency Bitcoin
Possible file marker _Cr1ptT0r_
Distribution Breaking through an unprotected RDP, using spam email attachments or exploit kits
Elimination Remove Cr1ptT0r ransomware virus damage using Reimage

Cr1ptT0r ransomware virus delivers a text file with additional information and addresses of Bitcoin wallets, instant messaging apps. The latter is the preferred communication method of these cybercriminals. However, we do not recommend contacting them because it may lead to permanent money or even data loss, as many research shows.[2]

Since Cr1ptT0r is the ransomware, developers are not focusing on recovering your data. The primary focus is to lock data and gain profit from victims. The Cr1ptt0r team delivers two text files named _cr1ptt0r_support.txt and _FILES_ENCRYPTED_README.txt that include addresses on the Tor network and links to OpenBazaar website.

The ransom note reads the following:

If you are then probably not encrypted! 
The decryption keys are available for sale. Individual file decryption is also available. First decryption is possible. 
The private key is used to encrypt. Without this key it is imposible to decrypt any file. The public key (user id) is stored. 
A text file named “_cr1ptt0r_logs.txt”. 
Fell free to contact us via these methods: 
bitmessage: BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F 
Kind regards from the Cr1ptT0r team. 

These messages may differ from version to version of Cr1ptT0r. Another version:

If you are here, then probably all your files are encrypted! 
Decryption keys are available for sale. Individual file decryption is also available. The first file is decoded for FREE to prove that decryption is possible. 
The private key used to encrypt files is created on our secure server. Without this key it is impossible to decrypt any file. 
The public key (user ID) is stored in each file so that you can match the device with the correct key pair.The only thing needed to restore all the files is any encrypted file sent to us via the instant messenger.
The list of encrypted files is stored on the device in a text file named “_cr1ptt0r_logs.txt”. 
Contact us through OpenBazaar chat or one of the following ways: 
the tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F 
bitmessage: the BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq 
If there are any problems with the website OpenBazaar or desktop application, the payment is completed through a messenger. 
Customer support is fast and we guarantee full data recovery after payment. 
Best wishes from Cr1ptT0r team.

Initially, the virus is not marking encrypted files with any file appendix. However, some research by Michael Gillespie showed that an end-of-file marker _Cr1ptT0r_ is added to the encrypted data.[3] Furthermore, researchers analyzed provided samples and revealed that all ransom notes include the same Bitcoin link, victims' ID, URLs.

The _cr1ptt0r_support.txt file allows hackers to access the device remotely, although, according to the interview with hackers themselves, they said that they do not have any interest in personal information extortion are and are only care about the money. However, it does expose victims of Cr1ptT0r to potentially unlimited spying. 

There is little to no possibility that your files would get decrypted by these criminals, so remove Cr1ptT0r ransomware and then use data recovery tools, software or features to restore those files. Initially, the recognition rate of malware was relatively low, but currently, it is detected by 28 AV engines under such names as:

  • HEUR:Trojan-Ransom.Linux.Cryptor.c
  • ELF:Filecoder-AC [Trj]
  • Linux.Exploit.DCPC
  • a variant of Linux/Filecoder.Q
  • LINUX/Encoder.yntew, etc.

Therefore, researchers[4] advise using reputable software that can detect and eliminate the threat. Additionally, users who use D-Link's DNS-320 should update to latest firmware, although no guarantees can be provided due to the buggy core of the device itself. Cr1ptT0r team said that developers would have to fundamentally rebuild it in order to make it flaw-free.

Because Cr1ptT0r seems to be infecting NAS devices on Linux,  malware's primary target are small businesses that store data internally, which explains a quite hefty ransom demand. The virus authors told that the malware could be adapted to Windows operating systems as well, so the infection rate increase can be expected in the near future. In case that happens, we recommend users using Reimage for full Cr1ptT0r removal.

System vulnerabilities may lead to ransomware infections

There is no specific information about exploit kits or other flaws that get used to distribute the particular threat, but it is one of the more common methods employed to spread ransomware. Also, older software models or outdated firmware can be more vulnerable than those that have been recently updated.

Also, avoid clicking on spam emails with suspicious content or file attachments because malicious macros get added to documents, executables or ZIP archives and when the user downloads and opens the malicious attachment script gets triggered and launches a payload on the targeted device.

Eliminate Cr1ptT0r ransomware from the system using professional antivirus programs

You should focus on Cr1ptT0r ransomware removal and remember that this process requires help from reliable anti-malware tools. Do not try to perform elimination procedure yourself, as the malware is complicated and requires advanced computer knowledge.

Employ your trustworthy antivirus tools or programs to remove Cr1ptT0r from the system. Make sure to get those tools from the official sources to avoid additional infiltration or use software that we suggest in this article. Remember not to start the recovery procedure before all the malicious components are eliminated on the system.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Cr1ptT0r virus, follow these steps:

Remove Cr1ptT0r using Safe Mode with Networking

Enter the Safe Mode with Networking before Cr1ptT0r ransomware removal:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Cr1ptT0r

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Cr1ptT0r removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Cr1ptT0r using System Restore

System Restore can help you with cryptovirus like Cr1ptT0r ransomware removal:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cr1ptT0r. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Cr1ptT0r removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cr1ptT0r from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Cr1ptT0r, you can use several methods to restore them:

Try Data Recovery Pro for encrypted files

When you remove Cr1ptT0r ransomware, employ data Recovery pro and restore encrypted files. You can use this program for accidentally deleted files too

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cr1ptT0r ransomware;
  • Restore them.

Decryption tool is not available for Cr1ptT0r ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cr1ptT0r and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References