Severity scale:  
  (99/100)

CryptoMix ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware
12

CryptoMix devs keep releasing new versions

An image of CryptoMix virus

CryptoMix virus defines the original file-encrypting threat[1]. It may also refer to the entire ransomware family. It appeared in the cyber space on spring 2016. Since then the authors program new versions. It is regarded as one of the most often updated threats: new versions appear almost weekly. Most recent variation is called X1881 ransomware as it appends .shark file extension. This file-encrypting and ransom-demanding virus is known to be using:

  • .empty;
  • .error;
  • .ogonia;
  • .dg;
  • .zero;
  • .ck;
  • .exte;
  • .azer;
  • .zayka;
  • .noob;
  • .cryptoshield;
  • .mole02;
  • .shark;
  • .x1881;

After completing the data encryption procedure, it drops a ransom note – INSTRUCTION RESTORE FILES.TXT so that it could push its victim into buying CryptoMix decryptor.

Updated versions use different ransom note names, such as _HELP_INSTRUCTION.TXT, !!!HELP_FILE!!! #, # RESTORING FILES #.HTML or # RESTORING FILES #.TXT. However, they all promote this decrypt service in exchange for a generous ransom payment.

Security experts managed to break the code of a few variants and created an alternative for CryptoMix Revenge decryptor. However, ransomware authors shortly released updated ransomware variants that cannot be decrypted using any third-party tools. For example, in July 2017, analysts discovered some brand new variants spreading on the Internet.

Just like earlier variants CryptoMix Wallet and Azer ransomware, recently emerged Exte ransomware virus is also not decryptable yet. Thus, it's better to take precautions to avoid these viruses. About a week or two later, Zayka, Noob, CK, DG, CNC and Mole03 ransomware variants emerged. At the moment, ERROR and EMPTY variants are noticeably active.

This crypto-malware stealthily infiltrates victims' computers with the help of spam. Once it does that, it finds the predetermined files and encrypts them with a sophisticated RSA-2048 encryption algorithm. Originally, malware appends .email[supl0@post.com]id[\[[a-z0-9]{16}\]].lesli or .lesli file extension to the targeted files.

Other variants might mark encrypted files with .CRYPTOSHIELD, .code, .revenge, .scl, .rscl, .rdmk, .rmd, .wallet, .azer, .Mole03, .EXTE, .CNC etc. extensions.

When files are encrypted, ransomware drops a ransom note called INSTRUCTION RESTORE FILES.TXT where victims are asked to contact cyber criminals via a provided email address (xoomx[@]dr.com and xoomx[@]usa.com) in order to obtain the special decryption key which is usually stored in some remote folder.

To access the decryption key, the victim has to pay a considerable amount of money in the form of ransom. However, you need to take care of CryptoMix removal first because it can easily encrypt another batch of your files. Ransomware removal requires an installation of the powerful malware removal program, such as Reimage, and running a full system scan with it.

This crypto-malware is similar to CryptoWall 3.0, CryptoWall 4.0 and CryptXXX viruses. However, unlike these malicious programs, CryptoMix claims that the collected profit is used for a good cause – charity.

The ransomware developers, calling themselves the Cham Team, have also been offering a “Free tech support” for those who decided to pay up. Putting all these strange promises aside, you should remember that you are dealing with real cyber criminals, so there is no need to follow their commands and support their dirty business.

Even if you decide to pay the ransom in exchange for your files, you should take into account that may not receive the access to the decryption key that you need or the key itself may be corrupted.[2]

Thus, we do not recommend following hackers’ orders provided in INSTRUCTION RESTORE FILE.TXT file. This ransom-demanding message shows up in each folder that contains encrypted data. CryptoMix virus is said to encrypt the astonishing amount of file types – 862. Thus, it’s impossible to overlook it.

Speaking more about the content of the ransom note, cyber criminals inform a victim about two different emails, xoomx[@]dr.com and xoomx[@]usa.com, that should be used to contact the developers of Cryptomix ransomware and retrieve the affected files.[3]

After emailing the hackers, the victim is then sent a link and a password to a One Time Secret service website which can be used for exchanging anonymous messages with hackers. At first, the hackers may try to convince the victim to pay for the sake of charity. Of course, we won't find a person who is willing to pay the ransom of 1900 in USD in exchange for his or hers files.

Besides, cyber criminals can start threatening you to double the ransom if it is not paid within 24 hours. The most interesting thing is that you can receive a discount after contacting these hackers[4]. In any case, we do not recommend going that far.

You should remove CryptoMix virus as soon as you notice you cannot access your files. However, you should remember that the removal of this virus will not recover your files. For that, you need to use data decryption steps given at the end of this post. If you are not infected yet, make sure your data is in a safe place before the ransomware hits your computer.

New variations join CryptoMix virus group 

CryptoShield 1.0 ransomware virus. This newly detected virus rages in poorly protected and infected websites. Regular visitors of torrent and file-sharing domains risk falling under the target of this virus. By employing EITest attack chain, RIG exploit kit downloads all the necessary content for a complete CryptoShield hijack.

After the infection preparations are completed, the threat initiates fake messages to fool users that these notifications are the result of regular Windows processes. However, it is not difficult to look through the scam since the notifications contain evident spelling mistakes.

Interestingly, that the gearheads decided to combine AES-256 and ROT-13 encrypting techniques in locking users' data. While the latter is awfully simple, the former still causes a headache for IT specialists. Unfortunately, the threat can delete shadow volume copies which burden data recovery for victims. In any case, it is not recommended to pay the ransom.

.code virus. Malware is distributed via spam emails which have a malicious email attachment. Once users open the attached file, malware payload enters the system and starts data encryption procedure. The virus uses RSA-2048 encryption algorithm and appends .code file extension.

When all targeted files are crypted, the ransomware drops a ransom note named “help recover files.txt” where victims are asked to contact developers via xoomx_@_dr.com or xoomx_@_usa.com email addresses. However, doing that is not recommended because cyber criminals will ask to transfer up to 5 Bitcoins for the decryption key.

Thus, it’s a huge sum of money, and you should not risk losing them. It’s better to remove .code virus first.

CryptoShield 2.0 ransomware virus. This version barely differs from earlier CryptoShield variant. After infiltration, it starts data encryption procedure using an RSA-2048 algorithm and appends .CRYPTOSHIELD extension to each of the targeted files.

Then malware creates two new files on the desktop called # RESTORING FILES #.txt and # RESTORING FILES #.html. These files include instructions how to recover encoded data. In the ransom note, cyber criminals provide few email addresses (res_sup@india.com, res_sup@computer4u.com or res_reserve@india.com) for those victims who are willing to pay the ransom.

However, doing that is not recommended. If you got infected with this version of CryptoMix, remove the virus from the computer and use data backups or alternative recovery methods to restore your files.

Revenge ransomware virus. This file-encrypting virus is distributed as a trojan via RIG exploit kits. After the infiltration, it scans the system looking for the targeted files and encrypts them using an AES-256 algorithm. Just like its name suggests, malware appends .revenge file extension to each of the corrupted file and makes them impossible to open or use.

However, cyber criminals provide instructions how to get back access to the encrypted files in the ransom not called # !!!HELP_FILE!!! #.txt. Here victims are asked to contact cyber criminals via provided email addresses: restoring_sup@india.com, restoring_sup@computer4u.com, restoring_reserve@india.com, rev00@india.com, revenge00@witeme.com, and rev_reserv@india.com.

If people decide to do that (not recommended), they are asked to transfer particular amount of Bitcoins in order to obtain Revenge Decryptor. We want to point out that this shady deal might end up with money loss or other malware attacks. Besides, encrypted files might still be inaccessible.

Mole ransomware virus. This version of CryptoMix travels via misleading emails that inform about USPS delivery issues. Once people click on a link or attachment provided in the email, they install Mole executable on the system. On the affected computer, malware immediately starts encryption procedure and locks files using an RSA-1024 encryption key.

In order to make the attack even more damaging, the malware also deletes Shadow Volume Copies. Thus data recovery without specific decryption software is nearly impossible if victims do not have backups. Following data encryption, CryptoMix Mole ransomware drops a ransom note “INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT” where victims are told to contact cyber criminals within 78 hours.

Victims are supposed to send their unique ID number either to oceanm@engineer.com or oceanm@india.com email address. However, Doing that is not recommended because people will be asked to transfer a huge sum of money and obtain a questionable decryption software. After ransomware attack, victims should focus on malware removal first.

CryptoMix Wallet ransomware virus. This variant of the ransomware uses AES encryption and appends .wallet file extension to the targeted files which resemble Wallet ransomware virus. However, the malware also renames files. The name of the encrypted file includes the email address of the cyber criminals, victim’s ID number, and a file extension: .[email@address.com].ID[16 unique characters].WALLET.

Once all files are encrypted, victims receive a fake explorer.exe Application Error message which is supposed to trick victims into pressing OK button. Clicking OK triggers User Account Control prompt window. This alters won’t go away as long as users click “Yes” option. Since then malware starts deletion of Shadow Volume Copies.

Lastly, malware leaves a ransom note “#_RESTORING_FILES_#.txt” where victims are asked to send their unique ID number to one of these email addresses: shield0@usa.com, admin@hoist.desi, and crysis@life.com. Then, cyber criminals will provide the cost of decryption software.

However, trusting them is not recommended. Nevertheless, ransomware is still undecryptable; we do not recommend risking to lose the money or getting infected with other malware. After the attack, employ professional security software and remove it from the device.

Mole02 ransomware virus. Mole02 is yet another version of the described ransomware family, and it appends .mole02 file extensions to encrypted records. It utilizes RSA and AES encryption ciphers to securely lock victim's files. The virus first emerged in June 2017 and successfully infected thousands of computers worldwide.

The virus uses _HELP_INSTRUCTION.TXT as a ransom note. It saves this file on the desktop to inform the victim about the cyber attack and demand a ransom. However, victims do not need to pay the ransom any longer if they do not have data backups – malware experts have released a free Mole02 decryptor that restores corrupted files absolutely for free.

Azer ransomware virusAZER Cryptomix virus is the latest version of this ransomware group that emerged right after the release of Mole02 decryptor. The new version uses either .-email-[webmafia@asia.com].AZER or .-email-[donald@trampo.info.AZER extension to mark encrypted data. The virus corrupts the original filename as well.

The ransom note dropped by this virus is called _INTERESTING_INFORMACION_FOR_DECRYPT.TXT. It is very short and it simply suggests writing to one of the provided emails to get data recovery instructions. Of course, the criminals are not planning to decrypt your files for free.

They usually demand a ransom, however, at the moment the size of it is unknown. Unfortunately, currently, there are no tools capable of decrypting .azer files.

Exte ransomware virus. This version of ransomware emerged in July 2017. The name of the virus reveals that it appends .EXTE file extension to the encrypted files. Once all targeted files are locked, malware downloads a ransom note called _HELP_INSTRUCTION.TXT. Here victims are asked to send their unique ID number to exte1@msgden.net, exte2@protonmail.com or exte3@reddithub.com and wait for the response with data recovery instructions. 

Currently, the specific size of the ransom is unknown. It seems that authors of the ransomware decide on which victim individually based on the amount of the encrypted files. Despite the fact that official decryptor for Exte is not released, we do not recommend paying the ransom.

Zayka ransomware virus. Zayka ransomware is yet another version of CryptoMix. Although it works as a virtual extortion tool, it doesn't specify the size of the ransom it wants to receive from the victim. During the encryption, the virus adds .zayka file extensions to files and creates a ransom note – _HELP_INSTRUCTION.TXT.

The ransom note suggests testing the data recovery pro on three small files that can be transmitted to criminals via email. The victim can write to admin@zayka.pro to get instructions regarding data recovery. However, we do not advise you to communicate with cybercriminals or obey their demands. Instead, you should remove Zayka and start looking for your data backup.

Noob ransomware virus. CryptoMix Noob ransomware was spotted in July 2017, right after the appearance of Zayka virus. Victims should not confuse it with NoobCrypt ransomware, which is a completely different virus.

The Noob virus got its name based on file extensions it appends to encrypted files. The ransomware uses identically named ransom note like the previous versions –  _HELP_INSTRUCTION.TXT. Just like Zayka, it doesn't specify the price of the ransom.

Unfortunately, at the moment we cannot provide you any good news regarding .noob file extension data decryption. As soon as the decryptor appears, the article will be updated. Until then, you need to complete Noob ransomware removal.

CK ransomware virus. Just a few days later after Noob's ransomware debut (on July 20) another version showed up. CryptoMix CK ransomware virus is a malicious program that marks encoded data with .ck file extensions. It also drops _HELP_INSTRUCTION.TXT as a ransom note, but the content of it is quite different. Instead of providing one contact email address, it leaves three of them – ck01@techmail.info, ck02@decoymail.com and ck03@protonmail.com.

It seems that it is not the latest version from this ransomware family. It is very likely that more versions will appear shortly. Although at the moment .ck files cannot be decrypted using any third-party tools, it doesn't mean that you should start negotiating with cybercriminals via email (and not only because they won't be willing to do that).

Paying the ransom doesn't mean that your files will be recovered. Therefore, it is recommended that you remove CK ransomware and try data recovery methods provided below the article.

Mole03 ransomware virus. Mole03 virus is another modification of the infamous ransomware known as Crypto Mix. It is also one of the Mole ransomware group. After infecting the system, it compromises data and adds .mole03 file extensions to them. Following that, it drops _HELP_INSTRUCTION.txt file in all compromised folders and of course, desktop. At the moment, none of the free decryption tools are capable of restoring these files.

This variant is known to be pushed via EiTest campaign and compromised websites that welcome victims with a bogus “The “HoeflerText” wasn't found” alerts. These pop-ups suggest that victim's browser doesn't have a certain font installed, and the victim needs to have it in order to view the content of the website. Sadly, the file contains the ransomware.

These compromised websites used in Mole03 campaigns are filled with script that detects what web browser the victim uses. If it detects Internet Explorer, it triggers redirect to a phishing website that belongs to tech support scammers. The website then suggests calling scammers for help regarding YahLover.worm removal.

DG ransomware virus. Also known as DG file extension virus, it is yet another variant of the infamous ransomware. The malware was first spotted on July 28, and just like previous Crypto Mix variants, it creates a _HELP_INSTRUCTION.TXT file to store the ransom note. The ransomware drops this file into several computer locations to make it more noticeable for the victim.

The ransom note discloses three criminals' email addresses – dg01@msgden.net, 
dg02@armormail.net, and dg01@protonmail.com. In fact, apart from the extension used on encrypted files and different email addresses, there aren't many improvements to talk about.

The ransomware keeps playing with the details, and as always, it doesn't provide the exact ransom price – the victim has to email the victims and ask them about it. At the moment, no Cryptomix DG ransomware decryptors are available.

CNC ransomware virus. On August 7th, 2017, the cybercriminals added another update to CryptoMix which resulted in different file extensions that appear on compromised files. This time, the virus uses .CNC file extensions to mark encoded records. The name of the ransom note, however, remained the same, although its content differs slightly.

As usual, CNC ransomware virus' authors switched their contact emails. Now they suggest writing to cnc01@msgaden.net, cnc02@nerdmail.co or cnc03@protonmail.com. Frauds promise to “help you as soon as possible!” although we wouldn't name it as “help.” Remember – you are dealing with filthy cyber criminals here who seek to extort you. They will never provide you with data recovery tools if you refuse to pay them.

We heartily suggest that you think twice before paying the ransom. If you did, you would finance their future projects and motivate them to continue their illegal activities. The result of this will always be more ransomware victims.

ZERO ransomware virus. This variant first appeared at the end of July 2017. The malicious virus wasn't very prevalent if compared to other variants; however, it managed to affect quite a large number of computers worldwide.

The virus suggests writing to zero@hook.work email address for data decryption instructions. This command is written in a ransom note that is called the same way like in previous Crypto Mix variants.

The way this virus encrypts files is highly sophisticated and cannot be reversed without a unique decryption key. Unfortunately, there is no way to get this key without paying the ransom because it is securely stored in criminals' servers.

OGONIA ransomware virus. Ogonia virus is a new addition to CryptoMix virus' family. The first sample of this malicious virus was spotted on August 07, 2017. It is just another proof that ransomware developers are extremely greedy and despite all the ransoms they have already collected, they want more. The result of their greed is this new version – Cryptomix Ogonia virus.

After compromising victim's computer, the virus encodes files, adding .OGONIA file extensions on its way. It is worth mentioning that the virus completely corrupts filenames of files that it encrypts, too. This way, the victim can no longer recognize the files. The malware traditionally creates a ransom note called _HELP_INSTRUCTION.TXT, which barely contains any useful information.

Inside the text file, there is a short message: “All you files crypted. For decrypt write to: TankPolice@aolonline.top.” The decrypt ID provided in the note is used in victim's identification process – this way, the attackers know which decryption key to provide for him/her. Unfortunately, they are cyber extortionists, and they are going to ask you to pay a ransom in exchange for it.

ERROR ransomware virus. CryptoMix Error virus first emerged on August 18th, 2017. The virus continues using the same name for the ransom note, but adds .error file extension to encrypted files now. In this variant of the ransom note, cybercriminals suggest writing to error01@msgden.com, error02@webmeetme.com or error03@protonmail.com or errorout@protonmail.com for data recovery instructions. Not surprisingly, cyber criminals communicate via email to explain the conditions regarding data recovery.

The virus employs a set of 11 RSA-1024 encryption keys (public) which are used to encrypt the AES key (the one that encrypts files). This way, the victim cannot sort out what the decryption key is without cyber criminals' help.

They want the victim pay an enormous ransom to get access to corrupted files again. Unfortunately, researchers couldn't find a way to decrypt the files with .error file extensions yet. It is recommended to remove the virus without any hesitations using a proper anti-malware software for that.

EMPTY ransomware virus. It is a brand new creation from CryptoMix cyber crime gang. This new virus uses .empty extension on encrypted files and leaves three email addresses to contact victims in the _HELP_INSTRUCTION.TXT file.

The virus “kindly” suggests writing to empty01@techmail.info, empty02@yahooweb.co or empty003@protonmail.com to get a reply from cyber criminals with instructions on how to pay a ransom. The criminals promise to help the victim as soon as possible, although usually, it takes about 12 hours to get a response from them.

Since there is no way to recover .empty files for free and without having a data backup, we strongly recommend removing the ransomware from the system because it can silently drag even more malware to it.

CryptoMix Arena ransomware makes a diversion as it appends .arena file extension. Interestingly, it emerged at the same time as Crysis variant which also tends to attach .arena file extension. However, taking a closer look, the differences become obvious.

After CryptoMix Arena version finishes encoding files, it changes the file name into a hexadecimal series of numbers and characters with .arena at the end. It also launches its users' GUI with _HELP_INSTRUCTION.txt file. It briefly informs victims about the encode files and delivers ms.heisenberg@aol.com.

This version also presents vivid and complex data encryption technique. The malware employs 11 different RSA-1024 encryption keys to encode the main key, AES, which encoded the data.[5] Thus, this feature enables the malware to function offline. In order to encourage victims to remit the payment, the perpetrators offer to decode one file for free.

However, there is no information whether any received all files after paying the ransom. CryptoMix Arena may disguise under a random executable file so mere vigilance will not be sufficient. 

Skark ransomware virus encodes data with the AES key which is again encrypted by 11 RSA-1024 public keys. This feature grants the virus the ability to function offline. This specification was introduced in the above-discussed sample.

Looking from a broader perspective, the version does not include major changes. The ransom note stays the same while it presents new email addresses for contact purposes: shark01@msgden.com, shark02@techmail.info, and shark003@protonmail.com[6]. At the moment, the decrypter for this version has not been released yet.

x1881 ransomware virus does not present any astonishing features. Changes are minimal. It mentions about encrypted data in the same ransom message. However, now it includes four email addresses for victims to contact them: x1881@tuta.io, x1883@yandex.com, x1881@protonmail.com, and x1884@yandex.com.

The threat continues using 11 RSA-1024 keys to which allows it to function offline. Users may try to use free CryptoMix decrypter to decode the files affected by this malware variation.

Main attack vectors: RIG exploit kit and deceptive “HoeflerText” font ads 

There is no one set technique used by the CryptMix virus to enter your computer. You may get infected with this ransomware by clicking on suspicious notification or download buttons, or you can obtain it via P2P (peer-to-peer) networks. Malware analysts have also spotted that some versions of this virus were promoted using RIG exploit kit.

However, most commonly it is downloaded to the system as an important email attachment, such as an invoice, business report or similar document. Some versions of malware are known for being distributed as fake package delivery notifications. Thus, you need to be careful with emails and always double-check the information before opening any attached files, links or buttons.

Therefore, it is important not only to obtain a powerful antivirus system and hope for the best but to put your effort to prevent Crypto Mix on your computer.[7] Various versions of malware use exploit kits and Trojans to infiltrate the system. To protect yourself or your business, make sure that you:

  • Analyze all emails that you receive from unknown senders;
  • Dedicate some time for extra research when dealing with the newly downloaded software;
  • Check the reliability of the sites you decide to visit to prevent infiltration of CryptMix ransomware.
  • Taking time to install newly discovered software is also an important factor which may help you avoid infiltration of Trojan horses used to carry this virus.

Start CryptoMix crypto-malware elimination

It is not only possible but simply a must to remove CryptoMix from the infected device. Otherwise, your future files as well may be in danger. We have to warn you that uninstalling ransomware viruses may sometimes be rather problematic.

These malicious programs may try to block your antivirus from scanning the system. In such case, you may have to manage the virus manually for your virus-fighting utility to be able to start. Once it's done, you can install Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware to clean up your PC.

You will find the manual CryptoMix removal instructions, prepared by our team of experts at the end of this article. Also, do not hesitate to send us a message if you are encountering troubles related to the elimination of this virus.

We have received reports that the virus actively targets German-speaking countries. If your native language is German, you might want to check malware removal guidelines on DieViren.de site[8].

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CryptoMix ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CryptoMix ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual CryptoMix virus Removal Guide:

Remove CryptoMix using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Sometimes ransomware viruses block legitimate security software to protect themselves from being removed. In this case, you can try rebooting your computer to Safe Mode with Networking.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CryptoMix

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CryptoMix removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CryptoMix using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

If Safe Mode with Networking didn't help you disable ransomware, try System Restore. However, you need to scan your computer for two times to make sure that you removed ransomware from the system.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CryptoMix. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CryptoMix removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CryptoMix from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by CryptoMix, you can use several methods to restore them:

Recovering files encrypted by CryptoMix with the help of Data Recovery Pro

Data Recovery Pro is a widely-known tool that can be used for recovering accidentally deleted files and similar data. To use it to recover files after infiltration of ransomware, follow these steps:

Use Windows Previous Versions feature to get your files after infiltration of CryptoMix ransomware

Windows Previous Versions method is effective only if System Restore function was enabled on your computer before infiltration of this ransomware. Note that it can help you recover only individual files on your computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

CryptoMix Revenge decryption

You can use this tool to recover your encrypted files. However, keep in mind that it can be used to recover only those files that were files encrypted using an “offline key”. If your version of CryptoMix used a unique key from a remote server, this decrypter will not help you.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CryptoMix and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages


  • FreanDer

    I cant IMAGINE losing my files. Thats why I keep my system protected with SpyHunter 😉

  • Panter Tyrell

    Phew! Managed to remove this virus just in time! It didnt lock much of the files yet

  • shulemsc

    DO NOT PAY FOR THIS!!!
    we were infected and they asked for 10 bitcoins, after some negotiations the price was lowered to 6 bitcoins. they provided 1 decrypted file to prove concept. we paid 6 bitcoins and they asked for another .6 as the c&c server will not provide the key due to late payment. after promptly paying another .6 bitcoins (about $4800 in total) there has been no communication from them! its been 2 weeks and nothing.
    WHATEVER YOU DO, DO NOT TRUST THEM, THEY WILL NOT DECRYPT YOUR FILES!!!!