Severity scale:  
  (98/100)

CrY-TrOwX ransomware. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

CrY-TrOwX – another HiddenTear-based virus

CrY-TrOwX ransom note

CrY-TrOwX (also known as CrY ransomware) is a ransomware virus that uses AES cryptography to lock files with .locked file extension. Once the encryption is over, it delivers a ransom note in READ_AND_CRY_.txt file where victims are asked to contact criminals via kaya.kyasor99@yandex.com email in order to get back access to the encrypted files.

Developers of the ransomware are rarely known. However, author of the CrY-TrOwX virus is identified as “ismail.” Judging from the ransom note, a hacker is not a native English speaker. However, it did not prevent from using HiddenTear’s[1] code to create a file-encrypting virus.

Once CrY-TrOwX ransomware gets into the system, it modifies Windows registry and starts data encryption procedure. When all files are corrupted with .locked extension, malware generates a ransom note that gives only a short message:

Hello All Your Important Files Are Encrypted by CrY!
Communicate With Us To Save Your Files!
E-Mail Address : kaya.kyasor99@yandex.com

However, wasting your time and chatting with a hacker is not recommended. Malware researchers tell that ransomware is poorly written. Thus, you might be able to restore using third-party tools, or the official decryptor will be released soon. Hence, you should focus on CrY-TrOwX removal.

Despite the fact that it’s a weak example of ransomware, it still makes the system vulnerable. Thus, you have to clean your PC as soon as you find out about the inability to open particular documents. The safest way to do it – scan the system with reputable security tool.

We do not recommend trying to remove CrY-TrOwX manually. Ransomware viruses always consist of numerous components that might be injected into legit processes or hidden deep in the system. Thus, it doesn’t matter that this ransomware cannot be called the most dangerous one, you should still remove it properly with Reimage, Malwarebytes Anti Malware or your preferred malware removal tool.

Malware executable might be sent to your inbox

Malicious emails are the main way how ransomware viruses are being spread.[2] Thus, CrY crypto-virus is most likely to trick you into opening infected document attached to the email. Payload might be included in Word, PDF, Zip or another legitimate file. Additionally, the content of the email might tell about serious issues and urge to open the document.

Additionally, malware might enter the system using other methods:

  • malvertising;
  • bogus downloads;
  • fake updates;
  • exploit kits.

Thus, the security team from dieviren.de[3] remind to update all programs installed on your PC and Windows OS, obtain professional antivirus protection, and avoid visiting questionable sites. Of course, you have to avoid unknown download sources and be critical with popped up ads.

Termination guide for the CrY-TrOwX ransomware virus

To remove CrY-TrOwX from the computer, you have to run a full system scan with reputable malware removal program. Numerous tools offer to clean your PC from the most hazardous cyber threats. However, we recommend completing this task with Reimage or Malwarebytes Anti Malware. These programs are capable of finding and deleting all malicious components.

To make CrY-TrOwX removal smooth, you should reboot the device to Safe Mode with Networking first. This step helps to disable the virus and prevent it from blocking security software. You can find detailed instructions below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CrY-TrOwX ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CrY-TrOwX ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual CrY-TrOwX virus Removal Guide:

Remove CrY-TrOwX using Safe Mode with Networking

To remove CrY-TrOwX ransomware using anti-malware software, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CrY-TrOwX

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CrY-TrOwX removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CrY-TrOwX using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CrY-TrOwX. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CrY-TrOwX removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CrY-TrOwX from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you have backups, you can restore files from them as soon as you remove the virus. Additionally, you can try additional third-party tools.

If your files are encrypted by CrY-TrOwX, you can use several methods to restore them:

Data Recovery Pro might bring back some of your files

Nevertheless, Data Recovery Pro is designed to restore corrupted files; it might be helpful after the CrY-TrOwX attack as well.

Try Windows Previous Versions feature

If System Restore was enabled before ransomware attack, this Windows feature might help you to access previously saved versions of individual files. Follow these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might restore files from shadow copies

CrY-TrOwX does not seem to delete Shadow Volume Copies of the targeted files. Thus, ShadowExplorer might recover files with .locked extension.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

CrY-TrOwX decryptor is not available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CrY-TrOwX and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References