Severity scale:  

CryptoMix ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Three new versions of CryptoMix appeared at the beginning of 2018

An image of CryptoMix virus

CryptoMix ransomware started encrypting files in 2016. Ransomware[1] was updated numerous times and continue attacking computer users in 2018. In the beginning of the year, security experts warned about three new versions of this infamous ransomware family – Tastylock, Server, and System ransomware viruses.

The CryptoMix ransomware family might append different files extensions to audio, video, image, documents and other files in order to make them inaccessible. Currently, malicious programs can append these suffixes:

  • .empty;
  • .error;
  • .ogonia;
  • .dg;
  • .zero;
  • .ck;
  • .exte;
  • .code;
  • .revenge;
  • .scl;
  • .rscl;
  • .rdmk;
  • .rmd;
  • .wallet;
  • .Mole03;
  • .CNC;
  • .azer;
  • .lesli;
  • .zayka;
  • .noob;
  • .cryptoshield;
  • .mole02;
  • .shark;
  • .x1881;
  • .XZZX;
  • .0000;
  • .TEST;
  • .WORK;
  • .tastylock;
  • .SERVER;
  • .System;
  • .etc.

Following data encryption, all variants of CryptoMix virus deliver a ransom note where crooks provide instructions how victims can get back access to their files. After ransomware attack, people might find one of these files on the desktop or folders that include encrypted data:

  • !!!HELP_FILE!!! #;

Despite the different names, the ransom payment scheme remains the same. Victims are asked to pay the ransom in Bitcoins, but first, they have to contact criminals via one of the email addresses. It’s known that malware uses these emails, but there are many more:

  • etc.

However, it doesn’t matter which version of the ransomware infected your device, buying CryptoMix decryptor from cyber criminals is not recommended. It might lead to money loss. Crooks might not only threaten you into paying more money but never provide decryption key. Thus, you should remove CryptoMix immediately with Reimage or another security software. 

Free technical support service helps to pay the ransom

Even though victims are encouraged to pay the ransom for the supposedly good cause like charity, we can find similarities between this file-encrypting virus and many other, such as CryptoWall 3.0, CryptoWall 4.0 and CryptXXX ransomware which indicates that none of the collected profits end up there. Instead, this the contrivers of this malicious virus keep releasing new variants of it to continue their illegal activity.

Moreover, the ransomware developers, calling themselves the Cham Team, have also been offering a “Free tech support” for those who decided to pay up. Putting all these strange promises aside, you should remember that you are dealing with real cyber criminals, so there is no need to follow their commands and support their dirty business.

Even if you decide to pay the ransom in exchange for your files, you should take into account that may not receive the access to the decryption key that you need or the key itself may be corrupted.[2]

Thus, we do not recommend following hackers’ orders provided in INSTRUCTION RESTORE FILE.TXT file. This ransom-demanding message shows up in each folder that contains encrypted data. CryptoMix virus is said to encrypt the astonishing amount of file types – 862. Thus, it’s impossible to overlook it.

Speaking more about the content of the ransom note, cyber criminals inform a victim about two different emails, xoomx[@] and xoomx[@], that should be used to contact the developers of Cryptomix ransomware and retrieve the affected files.[3]

After emailing the hackers, the victim is then sent a link and a password to a One Time Secret service website which can be used for exchanging anonymous messages with hackers. At first, the hackers may try to convince the victim to pay for the sake of charity. Of course, we won't find a person who is willing to pay the ransom of 1900 in USD in exchange for his or her files.

Besides, cyber criminals can start threatening you to double the ransom if it is not paid within 24 hours. The most interesting thing is that you can receive a discount after contacting these hackers[4]. In any case, we do not recommend going that far.

You should remove CryptoMix virus as soon as you notice you cannot access your files. However, you should remember that the removal of this virus will not recover your files. For that, you need to use data decryption steps given at the end of this post. If you are not infected yet, make sure your data is in a safe place before the ransomware hits your computer.

New releases of CryptoMix ransomware virus

CryptoShield 1.0 ransomware virusThis version of the malicious program is quite interesting since the criminals employed a mix of ROT-13 and AES-256 ciphers to complete data encryption. If they had decided to use only the former algorithm, this variant wouldn't be a dangerous threat to the cyber community — encryption technique is easily breakable.

However, the combination of both ciphers leads to the point where IT specialist aren't able to easily generate a decryption key and desperate users continue to pay enormous amounts of money to recover their corrupted files. However, note that there are alternative ways to get back access to your data, do not make thoughtless decisions.

Moreover, according to the experts, computer users can get infected on suspicious websites or downloading obfuscate files from peer-to-peer networks. Additionally, this variant of the ransomware uses RIG exploit kit to download the executables for the CryptoShield hijack.

Users are advised to pay close attention to the fake pop-ups since this malware imitates messages from legitimate computer processes. However, you can easily recognise an attempt to fool you by poorly written text. 

.code virus. Malware is distributed via spam emails which have a malicious email attachment. Once users open the attached file, malware payload enters the system and starts data encryption procedure. The virus uses RSA-2048 encryption algorithm and appends .code file extension.

When all targeted files are crypted, the ransomware drops a ransom note named “help recover files.txt” where victims are asked to contact developers via or email addresses. However, doing that is not recommended because cyber criminals will ask to transfer up to 5 Bitcoins for the decryption key.

Thus, it’s a huge sum of money, and you should not risk losing them. It’s better to remove .code virus first.

CryptoShield 2.0 ransomware virus. This version barely differs from earlier CryptoShield variant. After infiltration, it starts data encryption procedure using an RSA-2048 algorithm and appends .CRYPTOSHIELD extension to each of the targeted files.

Then malware creates two new files on the desktop called # RESTORING FILES #.txt and # RESTORING FILES #.html. These files include instructions how to recover encoded data. In the ransom note, cyber criminals provide few email addresses (, or for those victims who are willing to pay the ransom.

However, doing that is not recommended. If you got infected with this version of CryptoMix, remove the virus from the computer and use data backups or alternative recovery methods to restore your files.

Revenge ransomware virus. This file-encrypting virus is distributed as a trojan via RIG exploit kits. After the infiltration, it scans the system looking for the targeted files and encrypts them using an AES-256 algorithm. Just like its name suggests, malware appends .revenge file extension to each of the corrupted file and makes them impossible to open or use.

However, cyber criminals provide instructions how to get back access to the encrypted files in the ransom not called # !!!HELP_FILE!!! #.txt. Here victims are asked to contact cyber criminals via provided email addresses:,,,,, and

If people decide to do that (not recommended), they are asked to transfer particular amount of Bitcoins in order to obtain Revenge Decryptor. We want to point out that this shady deal might end up with money loss or other malware attacks. Besides, encrypted files might still be inaccessible.

Mole ransomware virus. This version of CryptoMix travels via misleading emails that inform about USPS delivery issues. Once people click on a link or attachment provided in the email, they install Mole executable on the system. On the affected computer, malware immediately starts encryption procedure and locks files using an RSA-1024 encryption key.

In order to make the attack even more damaging, the malware also deletes Shadow Volume Copies. Thus data recovery without specific decryption software is nearly impossible if victims do not have backups. Following data encryption, CryptoMix Mole ransomware drops a ransom note “INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT” where victims are told to contact cyber criminals within 78 hours.

Victims are supposed to send their unique ID number either to or email address. However, Doing that is not recommended because people will be asked to transfer a huge sum of money and obtain a questionable decryption software. After ransomware attack, victims should focus on malware removal first.

CryptoMix Wallet ransomware virus. This variant of the ransomware uses AES encryption and appends .wallet file extension to the targeted files which resemble Wallet ransomware virus. However, the malware also renames files. The name of the encrypted file includes the email address of the cyber criminals, victim’s ID number, and a file extension: .[].ID[16 unique characters].WALLET.

Once all files are encrypted, victims receive a fake explorer.exe Application Error message which is supposed to trick victims into pressing OK button. Clicking OK triggers User Account Control prompt window. This alters won’t go away as long as users click “Yes” option. Since then malware starts deletion of Shadow Volume Copies.

Lastly, malware leaves a ransom note “#_RESTORING_FILES_#.txt” where victims are asked to send their unique ID number to one of these email addresses:,, and Then, cyber criminals will provide the cost of decryption software.

However, trusting them is not recommended. Nevertheless, ransomware is still undecryptable; we do not recommend risking to lose the money or getting infected with other malware. After the attack, employ professional security software and remove it from the device.

Mole02 ransomware virus. Mole02 is yet another version of the described ransomware family, and it appends .mole02 file extensions to encrypted records. It utilizes RSA and AES encryption ciphers to securely lock victim's files. The virus first emerged in June 2017 and successfully infected thousands of computers worldwide.

The virus uses _HELP_INSTRUCTION.TXT as a ransom note. It saves this file on the desktop to inform the victim about the cyber attack and demand a ransom. However, victims do not need to pay the ransom any longer if they do not have data backups – malware experts have released a free Mole02 decryptor that restores corrupted files absolutely for free.

Azer ransomware virusAZER Cryptomix virus is the latest version of this ransomware group that emerged right after the release of Mole02 decryptor. The new version uses either .-email-[].AZER or .-email-[ extension to mark encrypted data. The virus corrupts the original filename as well.

The ransom note dropped by this virus is called _INTERESTING_INFORMACION_FOR_DECRYPT.TXT. It is very short and it simply suggests writing to one of the provided emails to get data recovery instructions. Of course, the criminals are not planning to decrypt your files for free.

They usually demand a ransom, however, at the moment the size of it is unknown. Unfortunately, currently, there are no tools capable of decrypting .azer files.

Exte ransomware virus. This version of ransomware emerged in July 2017. The name of the virus reveals that it appends .EXTE file extension to the encrypted files. Once all targeted files are locked, malware downloads a ransom note called _HELP_INSTRUCTION.TXT. Here victims are asked to send their unique ID number to, or and wait for the response with data recovery instructions. 

Currently, the specific size of the ransom is unknown. It seems that authors of the ransomware decide on which victim individually based on the amount of the encrypted files. Despite the fact that official decryptor for Exte is not released, we do not recommend paying the ransom.

Zayka ransomware virus. Zayka ransomware is yet another version of CryptoMix. Although it works as a virtual extortion tool, it doesn't specify the size of the ransom it wants to receive from the victim. During the encryption, the virus adds .zayka file extensions to files and creates a ransom note – _HELP_INSTRUCTION.TXT.

The ransom note suggests testing the data recovery pro on three small files that can be transmitted to criminals via email. The victim can write to to get instructions regarding data recovery. However, we do not advise you to communicate with cybercriminals or obey their demands. Instead, you should remove Zayka and start looking for your data backup.

Noob ransomware virus. CryptoMix Noob ransomware was spotted in July 2017, right after the appearance of Zayka virus. Victims should not confuse it with NoobCrypt ransomware, which is a completely different virus.

The Noob virus got its name based on file extensions it appends to encrypted files. The ransomware uses identically named ransom note like the previous versions –  _HELP_INSTRUCTION.TXT. Just like Zayka, it doesn't specify the price of the ransom.

Unfortunately, at the moment we cannot provide you any good news regarding .noob file extension data decryption. As soon as the decryptor appears, the article will be updated. Until then, you need to complete Noob ransomware removal.

CK ransomware virus. Just a few days later after Noob's ransomware debut (on July 20) another version showed up. CryptoMix CK ransomware virus is a malicious program that marks encoded data with .ck file extensions. It also drops _HELP_INSTRUCTION.TXT as a ransom note, but the content of it is quite different. Instead of providing one contact email address, it leaves three of them –, and

It seems that it is not the latest version from this ransomware family. It is very likely that more versions will appear shortly. Although at the moment .ck files cannot be decrypted using any third-party tools, it doesn't mean that you should start negotiating with cybercriminals via email (and not only because they won't be willing to do that).

Paying the ransom doesn't mean that your files will be recovered. Therefore, it is recommended that you remove CK ransomware and try data recovery methods provided below the article.

Mole03 ransomware virus. Mole03 virus is another modification of the infamous ransomware known as Crypto Mix. It is also one of the Mole ransomware group. After infecting the system, it compromises data and adds .mole03 file extensions to them. Following that, it drops _HELP_INSTRUCTION.txt file in all compromised folders and of course, desktop. At the moment, none of the free decryption tools are capable of restoring these files.

This variant is known to be pushed via EiTest campaign and compromised websites that welcome victims with a bogus “The “HoeflerText” wasn't found” alerts. These pop-ups suggest that victim's browser doesn't have a certain font installed, and the victim needs to have it in order to view the content of the website. Sadly, the file contains the ransomware.

These compromised websites used in Mole03 campaigns are filled with script that detects what web browser the victim uses. If it detects Internet Explorer, it triggers redirect to a phishing website that belongs to tech support scammers. The website then suggests calling scammers for help regarding YahLover.worm removal.

DG ransomware virus. Also known as DG file extension virus, it is yet another variant of the infamous ransomware. The malware was first spotted on July 28, and just like previous Crypto Mix variants, it creates a _HELP_INSTRUCTION.TXT file to store the ransom note. The ransomware drops this file into several computer locations to make it more noticeable for the victim.

The ransom note discloses three criminals' email addresses –,, and In fact, apart from the extension used on encrypted files and different email addresses, there aren't many improvements to talk about.

The ransomware keeps playing with the details, and as always, it doesn't provide the exact ransom price – the victim has to email the victims and ask them about it. At the moment, no Cryptomix DG ransomware decryptors are available.

CNC ransomware virus. On August 7th, 2017, the cybercriminals added another update to CryptoMix which resulted in different file extensions that appear on compromised files. This time, the virus uses .CNC file extensions to mark encoded records. The name of the ransom note, however, remained the same, although its content differs slightly.

As usual, CNC ransomware virus' authors switched their contact emails. Now they suggest writing to, or Frauds promise to “help you as soon as possible!” although we wouldn't name it as “help.” Remember – you are dealing with filthy cyber criminals here who seek to extort you. They will never provide you with data recovery tools if you refuse to pay them.

We heartily suggest that you think twice before paying the ransom. If you did, you would finance their future projects and motivate them to continue their illegal activities. The result of this will always be more ransomware victims.

ZERO ransomware virus. This variant first appeared at the end of July 2017. The malicious virus wasn't very prevalent if compared to other variants; however, it managed to affect quite a large number of computers worldwide.

The virus suggests writing to email address for data decryption instructions. This command is written in a ransom note that is called the same way like in previous Crypto Mix variants.

The way this virus encrypts files is highly sophisticated and cannot be reversed without a unique decryption key. Unfortunately, there is no way to get this key without paying the ransom because it is securely stored in criminals' servers.

OGONIA ransomware virus. Ogonia virus is a new addition to CryptoMix virus' family. The first sample of this malicious virus was spotted on August 07, 2017. It is just another proof that ransomware developers are extremely greedy and despite all the ransoms they have already collected, they want more. The result of their greed is this new version – Cryptomix Ogonia virus.

After compromising victim's computer, the virus encodes files, adding .OGONIA file extensions on its way. It is worth mentioning that the virus completely corrupts filenames of files that it encrypts, too. This way, the victim can no longer recognize the files. The malware traditionally creates a ransom note called _HELP_INSTRUCTION.TXT, which barely contains any useful information.

Inside the text file, there is a short message: “All you files crypted. For decrypt write to:” The decrypt ID provided in the note is used in victim's identification process – this way, the attackers know which decryption key to provide for him/her. Unfortunately, they are cyber extortionists, and they are going to ask you to pay a ransom in exchange for it.

ERROR ransomware virus. CryptoMix Error virus first emerged on August 18th, 2017. The virus continues using the same name for the ransom note, but adds .error file extension to encrypted files now. In this variant of the ransom note, cybercriminals suggest writing to,, or for data recovery instructions. Not surprisingly, cyber criminals communicate via email to explain the conditions regarding data recovery.

The virus employs a set of 11 RSA-1024 encryption keys (public) which are used to encrypt the AES key (the one that encrypts files). This way, the victim cannot sort out what the decryption key is without cyber criminals' help.

They want the victim pay an enormous ransom to get access to corrupted files again. Unfortunately, researchers couldn't find a way to decrypt the files with .error file extensions yet. It is recommended to remove the virus without any hesitations using a proper anti-malware software for that.

EMPTY ransomware virus. It is a brand new creation from CryptoMix cyber crime gang. This new virus uses .empty extension on encrypted files and leaves three email addresses to contact victims in the _HELP_INSTRUCTION.TXT file.

The virus “kindly” suggests writing to, or to get a reply from cyber criminals with instructions on how to pay a ransom. The criminals promise to help the victim as soon as possible, although usually, it takes about 12 hours to get a response from them.

Since there is no way to recover .empty files for free and without having a data backup, we strongly recommend removing the ransomware from the system because it can silently drag even more malware to it.

CryptoMix Arena ransomware makes a diversion as it appends .arena file extension. Interestingly, it emerged at the same time as Crysis variant which also tends to attach .arena file extension. However, taking a closer look, the differences become obvious.

After CryptoMix Arena version finishes encoding files, it changes the file name into a hexadecimal series of numbers and characters with .arena at the end. It also launches its users' GUI with _HELP_INSTRUCTION.txt file. It briefly informs victims about the encode files and delivers

This version also presents vivid and complex data encryption technique. The malware employs 11 different RSA-1024 encryption keys to encode the main key, AES, which encoded the data.[5] Thus, this feature enables the malware to function offline. In order to encourage victims to remit the payment, the perpetrators offer to decode one file for free.

However, there is no information whether any received all files after paying the ransom. CryptoMix Arena may disguise under a random executable file so mere vigilance will not be sufficient. 

Skark ransomware virus encodes data with the AES key which is again encrypted by 11 RSA-1024 public keys. This feature grants the virus the ability to function offline. This specification was introduced in the above-discussed sample.

Looking from a broader perspective, the version does not include major changes. The ransom note stays the same while it presents new email addresses for contact purposes:,, and[6]. At the moment, the decrypter for this version has not been released yet.

x1881 ransomware virus does not present any astonishing features. Changes are minimal. It mentions about encrypted data in the same ransom message. However, now it includes four email addresses for victims to contact them:,,, and

The threat continues using 11 RSA-1024 keys to which allows it to function offline. Users may try to use free CryptoMix decrypter to decode the files affected by this malware variation.

XZZX ransomware virus. On November 2017, developers of CryptoMix came back with a new version of malware that appends .XZZX file extension to the corrupted files. Following data encryption, cyber criminals ask victims to contact them via one of the provided emails (,, or and wait for the further instructions.

Just like the previous variant, XZZX CryptoMix ransomware also uses 11 RSA-1024 encryption keys to corrupt file on the targeted device. Unfortunately, the sophisticated encryption method is not decryptable yet. However, users should remain patient and do not pay the ransom for criminals.

0000 ransomware virus. Following XZZX ransomware, developers presented the 0000 virus as well. It barely differs from the previous version and uses the same encryption algorithm. It locks files with .0000 file extensions and provides data recovery instructions in the _HELP_INSTRUCTION.TXT file. However, the document does not reveal any specific information.

Victims are asked to send their ID number to one of the provided email addresses:,, or However, contacting them and following their instructions is not recommended by security specialists.

Test ransomware virus. In December 2017, cyber criminals presented a new variant of CryptoMix which adds .TEST file extension to targeted files. Just like previous two versions, it uses the same combination of RSA and AES cryptography to make data inaccessible. However, this time crooks use new email addresses for communicating with victims that are presented in the _HELP_INSTRUCTION.TXT file.

Victims are supposed to send their unique ID number to,,, or addresses. Crooks are supposed to respond with data recovery instructions. However, doing that may lead to money loss.

Work CryptoMix ransomware. Recently, the experts have discovered a new version of the malicious program. While it has similarities with the original one, there are also slight differences. Firstly, the hackers have change en extension appended to the corrupted data — now it uses .WORK suffix. 

Even though the file of the ransom note remains to be named as _HELP_INSTRUCTION.TXT, the victims are provided with new email addresses for contact purposes which are the following:


The screenshot of Work CryptoMix ransom note

Tastylock ransomware. This crypto-virus is suspected to be another version of CryptoMix. However, it acts a little bit differently compared to the previously discussed malware. However, the virus uses the same name of the ransom note – _HELP_INSTRUCTION.TXT. However, here criminals provide a slightly altered message, but victims are still advised to send their ID number to the provided email address –

However, security experts do not recommend trying to obtain a decryptor that will be able to restore files with .tastylock extension. Nevertheless, the virus is not decryptable whit third-party software; cyber criminals might only take your money and still leave you with a corrupted data.

Server ransomwareServer Cryptomix ransomware appends .SERVER file extension to the targeted files and renames them with a random string of characters. Once it makes them unable to use and open; malware delivers a ransom note in the _HELP_INSTRUCTION.TXT file. The only change in this version is that criminals use different email addresses:


Despite the fact that malware is currently undecryptable; it's advised to remove Server ransomware virus. Paying the ransom and hoping for criminals' good will to restore your data may lead to financial loss.

System ransomware. This variant appends .System file extension to the targeted data. Just like the previous versions, this one is not decryptable too. Therefore, users are offered to take a shady hacker's deal presented in the  _HELP_INSTRUCTION.TXT file. As usual, victim's are asked to send their ID number to one of the provided emails (,,, or and wait for further instructions. However, security experts recommend removing System CryptoMix ransomware instead of paying the ransom. 

Methods used for spreading file-encrypting malware

Even though people might not be aware, but criminals employ multiple distribution techniques to increase the rate of ransomware infections. They can either infuse malicious scripts on intrusive ads which try to trick you to click on the download button or place the obfuscate files holding the executables of the malware on suspicious file sharing sites.

However, most commonly it is downloaded to the system as an important email attachment, such as an invoice, business report or similar document. Some versions of malware are known for being distributed as fake package delivery notifications. Thus, you need to be careful with emails and always double-check the information before opening any attached files, links or buttons.

Therefore, it is important not only to obtain a powerful antivirus system and hope for the best but to put your effort to prevent Crypto Mix on your computer.[7] Various versions of malware use exploit kits and Trojans to infiltrate the system. To protect yourself or your business, make sure that you:

  • Analyze all emails that you receive from unknown senders;
  • Dedicate some time for extra research when dealing with the newly downloaded software;
  • Check the reliability of the sites you decide to visit to prevent infiltration of CryptMix ransomware.
  • Taking time to install newly discovered software is also an important factor which may help you avoid infiltration of Trojan horses used to carry this virus.

Delete CryptoMix ransomware from the system correctly

If you think that you have plenty of time to deal with CryptoMix removal, think again. This type of a virus is highly dangerous since any minute it can open backdoors to infiltrate other computer threats. 

These malicious programs may try to block your antivirus from scanning the system. In such case, you may have to manage the virus manually for your virus-fighting utility to be able to start. Once it's done, you can install Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware to clean up your PC.

You can quickly remove CryptoMix by following the instructions which are prepared by our team of experts at the end of this article. Also, do not hesitate to send us a message if you are encountering troubles related to the elimination of this virus.

We have received reports that the virus actively targets German-speaking countries. If your native language is German, you might want to check malware removal guidelines on site[8].

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CryptoMix ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CryptoMix ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual CryptoMix virus Removal Guide:

Remove CryptoMix using Safe Mode with Networking

Usually, ransomware tries to protect itself by blocking the installation of the security software. Likewise, you should start the removal procedure by rebooting your PC into Safe Mode. Get help from the guide below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CryptoMix

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CryptoMix removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CryptoMix using System Restore

In some cases, the previously mentioned method might not help. Hence, try another way to disable the virus.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CryptoMix. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CryptoMix removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CryptoMix from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by CryptoMix, you can use several methods to restore them:

Data Recovery Pro might bring back the damaged files

Experts have tried their best to develop a tool which would not only help victims after dangerous ransomware attacks but also recover files once they accidentally delete them. Likewise, we highly recommend you to try this professional data recovery tool:

Use CryptoMix Decryptor

Experts have released a decryptor which helps to recover corrupted data. Those whose files were not encrypted using a unique key from the remote server should try this tool.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CryptoMix and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages

  • shulemsc

    we were infected and they asked for 10 bitcoins, after some negotiations the price was lowered to 6 bitcoins. they provided 1 decrypted file to prove concept. we paid 6 bitcoins and they asked for another .6 as the c&c server will not provide the key due to late payment. after promptly paying another .6 bitcoins (about $4800 in total) there has been no communication from them! its been 2 weeks and nothing.

  • Panter Tyrell

    Phew! Managed to remove this virus just in time! It didnt lock much of the files yet

  • FreanDer

    I cant IMAGINE losing my files. Thats why I keep my system protected with SpyHunter 😉