Remove Crypton ransomware / virus (Bonus: Decryption Steps) - updated May 2018
Crypton virus Removal Guide
What is Crypton ransomware virus?
Crypton is a file encrypting malware that tries to persuade victims to pay ransom
Crypton ransomware[1] was first spotted in November 2016. Since then, it keeps coming back with different file extensions and improved code. The crypto-malware uses a complicated encryption algorithm to lock up documents, audio, video, and other files. Each version of the virus adds a different file appendix, such as _crypt, .encrptd, and [file_name].id-[victim’s ID] _steaveiwalker@india.com_. The latest variant of Crypton was spotted in May 2018, and it appends .ransomed@india.com extension to all files. Regardless of the version, malware always drops a ransom note either in .txt or .html format, which includes instructions on how to pay hackers in Bitcoin cryptocurrency and reclaim encoded data.
| Summary | |
|---|---|
| Name | Crypton |
| Type | Ransomware |
| Danger level | High. Encrypts files and makes critical changes to the system |
| Release date | November 2016 |
| Appended file extensions | _crypt, .encrptd, [file_name].id-[victim’s ID]_steaveiwalker@india.com_, _.id-[id]_locked, .id-[id]_locked_by_krec, .id-[id]_locked_by_perfect, .id-[id]_x3m, .id-[id]_r9oj, .id-[id]_garryweber@protonmail.ch, .id-[id]_steaveiwalker@india.com_, .id-[id]_julia.crown@india.com_, .id-[id]_tom.cruz@india.com_, .id-[id]_CarlosBoltehero@india.com_, .id-[id]_maria.lopez1@india.com_., .ransomed@india.com |
| Names of the ransom note | Readme_encrypted.txt, COMO_ABRIR_ARQUIVOS.txt, HOWTODECRYPTFILES.html |
| Cryptography | AES-256, SHA-256 |
| Symptoms | Inability to open files due to an unknown extension, suspicious processes running in the background, unknown programs installed on the computer, sluggish computer's performance. |
| Data recovery | All versions (apart the newest one) are decryptable with Emsisoft decryptor |
| To delete CryptON, install ReimageIntego and run a full system scan | |
The virus mainly targets English, Russian, and Portuguese[2] computer users, although it can emerge anywhere in the world. Authors of the CryptON ransomware use Remote Desktop Services (RDP)[3] brute force attacks to hack into computers and install malware. The first task the virus does is the deletion of system recovery points in order to make data encryption a complicated procedure. However, malware researchers managed to help victims of ransomware and created a free decryptor.
However, Crypton virus is still in the wild and encrypts all popular files saved on the affected computer. It uses AES-256 encryption cipher to lock files and gets a key with SHA-256. During the encryption, malware can append one of the following file extensions:
- _crypt
- .encrptd
- .id-[id]_locked
- .id-[id]_locked_by_krec
- .id-[id]_locked_by_perfect
- .id-[id]_x3m
- .id-[id]_r9oj
- .id-[id]_garryweber@protonmail.ch
- .id-[id]_steaveiwalker@india.com_
- .id-[id]_julia.crown@india.com_
- .id-[id]_tom.cruz@india.com_
- .id-[id]_CarlosBoltehero@india.com_
- .id-[id]_maria.lopez1@india.com_
- .ransomed@india.com
Once CryptOn finishes its work, it drops .txt and .jpg files on the infected computer. The first one, “Readme_encrypted.txt” file, contains the only line saying “These files are encrypted! Follow the instructions on the screen. ID:XXXXXX.” The rest of the essential information about what happened and how to reclaim the encrypted files is placed directly on the infected computer’s desktop. The message goes as follows:
Attention!
All data on you PC is encrypted!To decrypt your data, you need to pay the amounts shown below.
Please note that the payment confirmation may take some time (from 1 hour to 1 day).
All this time, the program must be running and have an internet connection.
After the successful confirmation of payment – decoding will start automatically.
Read more about how to make a payment using Bitcoin can be found on the internet network.
In destination address – specify the Bitcoin address, listed below.
Keep in mind that the services may charge a fee for the payment, it is important that we must …
It is not recommended to attempt to recover the data, or remove this program! This can lead to a complete
loss of your data forever! To restore data, you must be connected to the Internet.
Status:
Bitcoin address: ***
Payment amount: ***
check payment status
Authors of the ransomware virus does not specify the size of the ransom. It might differ based on the amount and importance of the encrypted files. However, following hackers’ orders is not needed. After CryptOn removal, you can use a free Emsisoft decryptor for recovering affected files.
To remove CryptOn from the machine, you need to obtain professional malware removal program and run a full system scan. We recommend ReimageIntego for this task because it does not only cleans malware but fixes the damage to the system as well.
Developers of Crypton created a special campaign to attack computer users in Portugal
At the beginning of 2017, researchers reported about a new version of the malware. It was named CryptON CyptoLocker virus because it seems to be a version of CyptoLocker ransomware, a popular crypto-malware which has been ravaging through computers back in 2014.[4]
This variant is primarily targeted towards Portuguese-speaking users and addresses them in this particular language when explaining the purposes of the attack and terms of data recovery. Following data encryption procedure, the virus drops a ransom note called COMO_ABRIR_ARQUIVOS.txt.
Additionally, it renames the encrypted files like so: [file_name].id-[victim’s ID]_steaveiwalker@india.com_. However, this version of malware is decryptable too. So, if your files got encrypted, you should focus on Crypton ransomware removal instead of paying the ransom.
The newest version of CryptON uses RDS services to get into machines
As reported by ransomware researcher S!Ri[5], the newest version of CryptON virus abuses victim's Remote Desktop Services connected to the internet to hack into the computer. As soon as cybercrooks get hold of the machine, they physically execute the malicious payload.
This variant of CryptON appends .ransomed@india.com file extension to all encrypted files. As usual, files are not damaged, they are just encoded. In order to recover data, users are prompted to contact hackers via ransomed@india.com email, via the support website online (both Tor and non-Tor versions) or the bitmessage. The rest of the HOWTODECRYPTFILES.htm consists of the instructions pointing at how to install Tor browser.
Unfortunately, this version of CryptON, unlike few previous ones, is not decryptable. However, we suggest trying third-party software or restoring files from a backup.
Distribution methods of the ransomware virus
The file-encrypting virus has several versions that are being spread using different techniques, such as:
- Remote Desktop Services (RDP) attacks;
- a fake keygen for EaseUS Data Recovery software;
- malicious spam emails.[6]
To avoid the cyber attack, it is recommended to protect or disable RDP services, avoid downloading cracked or illegal programs and be careful with emails. The latter method is especially popular among developers of ransomware, so you should learn how to distinguish legitimate email from the dangerous one.
Additionally, updating programs and operating system, as well as installing a professional antivirus program, are also important precautions. However, you should still create backups in case something bad happens.
Uninstall CryptON ransomware virus
Security programs like ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes are needed for CryptON removal. This cyber threat is capable of installing numerous malicious components, affecting legitimate system processes and hide under the safe-looking file names. So, professional help is needed for cleaning up the computer.
However, you might be unable to remove CryptON with anti-malware easily. The virus might block security tools, but you can still get rid of this problem. All you need to do is to reboot the computer to Safe Mode with Networking as explained below and perform system scan a couple of times.
Once your computer is virus-free, you can use a free CryptON decryptor or use backups for data recovery. Other possible solutions are given below too.
Getting rid of Crypton virus. Follow these steps
Manual removal using Safe Mode
Follow these steps to disable the virus and run autimatic elimination:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Crypton using System Restore
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of Crypton. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Crypton from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Crypton, you can use several methods to restore them:
Solution 1: Data Recovery Pro
If you are looking for a quick data recovery solution, we recommend giving Data Recovery Pro a try. Though you should not keep your hopes up and expect a full system recovery. This software might help you recover some but not all of your files. So, check out the instructions below and get to work!
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Crypton ransomware;
- Restore them.
Solution 2: Windows Previous Versions feature
Windows Previous Versions feature is a useful Windows feature that can be used to jump back in time and recover files based on their previous versions. Bare in mind though, you can only use this feature if you had System Restore function enabled before the virus attack. If you did, please follow the steps below:
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Solution 3: ShadowExplorer
Last but not least, you can try ShadowExplorer feature to recover your files. This technique helps to extract the needed information from the Volume Shadow Copies that are stored on the computer. Unfortunately, some viruses delete these backup files and it is impossible use them for the data recovery. If for some reason Crypton leaves these file untouched, you have a chance get your files back using this technique:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Solution 4: Use Emsisoft decryptor tool for CryptOn ransomware
Luckily to all victims of the ransomware, Emsisoft together with virus researcher Fabian Wosar have just presented a decryptor for encrypted files. It can be downloaded from here. To use it properly, you need to start with finding two different versions of the same file – encrypted and the normal version. Then, drag them on the executable file of Crypton decryptor (decrypt_CryptON.exe) and you will receive the key used for encrypting your files. Then, you can use it for recovering all encrypted data.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Crypton and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.
If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
- ^ What does ransomware mean?. Techopedia. Where IT and business meet.
- ^ SemVirus. SemVirus. Portuguese cyber security news.
- ^ Mark Stockley. Ransomware-spreading hackers sneak in through RDP. Naked Security. Security news.
- ^ Alex Hern. Cryptolocker: what you need to know. The Guardian. News, sport and opinion from the Guardian's global edition.
- ^ S!Ri. #Ransomware CryptON ransomed@india.com 7C3DC9AD79B800F0A31BA3BDAC79F7E4. Twitter. Social Network.
- ^ Phishing & Spoofing eMail Checklist. CGS Blog. Application, learning and autsourcing content.