Cryptes ransomware (Removal Instructions) - Bonus: Decryption Steps
Cryptes virus Removal Guide
What is Cryptes ransomware?
Cryptes ransomware – a file-locking parasite that locks your personal data and demands Bitcoins for ransom
Ransomware is a dangerous virus that renders all personal files inaccessible
Cryptes ransomware is a file locking virus that first showed up at the end of July 25th, 2018. As it is a variant of DCRTR ransomware, it uses a combination of AES, SHA,[1] RSA military-grade coding algorithms to encrypt all personal files on a targeted Windows computer.
All non-system data is renamed by appending the .cryptes extension. As soon as the encryption process is finished, HOW TO DECRYPT ALL MY FILES.txt ransom note is downloaded to the victims' computers and placed into each of the affected folders. Users can view the file and see that hackers demand an unknown amount of Bitcoin to be paid for data release. To find out the price and receive further instructions, users need to contact the ransomware authors via dekode@qq.com.
SUMMARY | |
Name | Cryptes |
Type | Ransomware |
Encryption algorithm | AES, SHA, RSA |
Extension | .cryptes |
Distribution | Spam emails, unprotected RDP, malicious websites, etc. |
Symptoms | Unusable personal files that seem to be renamed; ransom note is found on the desktop and in affected folders |
Elimination | Use automatic removal method by employing trustworthy anti-malware software recommended below |
System health | Repair virus caused damage by using the all-in-one FortectIntego PC repair tool |
Cryptes ransomware typically infiltrates user machines when they are not careful enough when surfing the internet or opening emails from unknown sources. Hackers often use phishing emails and high-risk websites (such as file-sharing, torrents) to make sure that the virus gets distributed. Thus, if you do not take high risks, you will never have to worry about ransomware removal.
As soon as the malicious payload is executed, the malware modifies the system's settings and starts a scan. It looks for the data to encrypt, and skips the system, executables, and few other files. Hackers do not want to destroy your computer, and they just want to extort money. That is why the virus skips system files – the machine needs to operate correctly.
However, every personal file (.jpg, .doc, .dat, .img. .pdf, etc.) is systematically locked and .cryptes extension is added. From that point, users cannot access their files anymore. Note that the data is not corrupted in any way, it simply requires a decryption key, which is stored on a Command and Control server that only malware authors have access to.
Users are informed of what happened in a ransom note HOW TO DECRYPT ALL MY FILES.txt which becomes available for victims to view. It is unknown what amount the ransomware authors want, but they most certainly want Bitcoins – a digital currency.
This way, they can stay anonymous during the transaction, as a personal bank account is easily traceable. Although Bitcoin wallets are more pseudonymous rather than anonymous, cyber crooks manage to bypass traceability by using various tools, such as VPNs and proxies.[2]
Here's the fragment from the ransom note:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: dekode@qq.com
In case of no answer in 24 hours write us to theese e-mails: supdecrypt@foxmail.com or supportdecryption@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
As “proof” cybercriminals promise to decrypt five files (up to 10MB) for free. Ironically, they even warn victims of being scammed by other parties.
Cryptes is a file locking virus that demands ransom to be paid for file release
However, it is unwise to contact crooks, as these people can not be trusted. Just think about it – if they managed to lock up your files to gain illegal profit, what obligates them to take your money and never reply? Besides, if you do contact them and receive the necessary decryptor, you are highly likely to be a target in future attacks.
Therefore, do not give in to hackers' menace and remove Cryptes ransomware from your computer. To ensure proper elimination, use SpyHunter 5Combo Cleaner or Malwarebytes. Only then you can proceed with the file recovery procedure (note that the official decryptor for this ransomware variant does not exist yet, but you can get your data back from backups or by using third-party software).
Once the ransomware is properly removed, you need to check for any system irregularities that it might have caused. If you're not an IT specialist, then we recommend you use the FortectIntego system diagnostics tool that repairs all system-related issues automatically.
Ransomware can hide in malicious email attachments
People usually do not pay attention to dangers until unfortunate events happen to them. That is precisely how it works with malware as well. Users are careless and tend to avoid anti-malware software due to costs or pure laziness. However, keep in mind that once files are encrypted by ransomware, the chance of getting them back is quite low, unless the official decryption tool is released (in some cases it might take researchers years to develop one).
To avoid such a scenario, make sure you follow these simple rules:
- Spam emails are the most prominent malware distribution method. Therefore, think twice before viewing every email that comes your way. If needed, scan the attachment with anti-malware software and always mouseover hyperlinks that might be present inside;
- Employ reputable security tools. These applications are necessary for every computer user that uses the internet. Anti-virus program's database is continually updated, so malware can be blocked before it enters the machine;
- Avoid malicious websites. Users can sure be redirected to suspicious websites, but they should never click on links or pop-ups that appear there. Additionally downloading executables (keygens, cracks) or cracked software on dubious file-sharing sites can lead to ransomware infection;
- Back up your files. If you have that step complete, you do not need to worry about anything. However, make sure that you do not connect your external device to the infected computer, as all backup data will be encrypted as well.
Detailed instructions to remove Cryptes ransomware
Ransomware removal should not be executed manually, as experts[3] note. This procedure is complicated and should only be practiced by trained IT professionals. If you proceed with it, you might damage your system files beyond repair. Therefore, leave the job to anti-malware software instead. Before performing the scan, make sure that the latest virus database is being used.
In some cases, the malware might block the correct operation of the security suite. In such a case, enter Safe mode with networking as explained below. As soon as you remove Cryptes virus, you can proceed with file recovery – you can find instructions below. Nevertheless, if you do not possess a backup, the chance of retrieving data is quite low.
Getting rid of Cryptes virus. Follow these steps
Manual removal using Safe Mode
If the infection is blocking your anti-virus program, enter Safe Mode with Networking:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Cryptes using System Restore
Disable malware using System Restore:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Cryptes. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Cryptes from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.Although crooks might ask as little as $25 for file recovery, it is not worth taking the risk. By contacting them, you put yourself in danger of other malware infections (it is not unheard of crooks sending fake decryptors that are malicious) and might as well lose the money in general. Thus, rather try alternative data recovery methods.
If your files are encrypted by Cryptes, you can use several methods to restore them:
Try Data Recovery Pro
This application is a powerful tool that allows users to restore files that have been damaged or accidentally deleted. However, security researchers noted that it can help ransomware victims as well.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Cryptes ransomware;
- Restore them.
Make use of Windows Previous Version feature
This method will only work if you had the Windows Restore function enabled before ransomware struck.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer could recover your files
In some rare cases, ransomware fails to eliminate Shadow Volume Copies. ShadowExplorer would help you to restore all files in such a scenario.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No official decryptor is available yet
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cryptes and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.
- ^ Secure Hash Algorithms. Wikipedia. The Free Encyclopedia.
- ^ Poxy server. WhatIs. Information technology website.
- ^ LosVirus. LosVirus. Cybersecurity news and articles.