Crypton ransomware virus. How to remove? (Uninstall guide)
Crypton is a file encrypting malware that tries to persuade victims to pay ransom
Questions about Crypton ransomware virus
Crypton ransomware[1] was first spotted in November 2016. Since then, it keeps coming back with different file extensions and improved code. The crypto-malware uses a complicated encryption algorithm to lock up documents, audio, video, and other files. Each version of the virus adds a different file appendix, such as _crypt, .encrptd, and [file_name].id-[victim’s ID] _steaveiwalker@india.com_. The latest variant of Crypton was spotted in May 2018, and it appends .ransomed@india.com extension to all files. Regardless of the version, malware always drops a ransom note either in .txt or .html format, which includes instructions on how to pay hackers in Bitcoin cryptocurrency and reclaim encoded data.
| Summary | |
|---|---|
| Name | Crypton |
| Type | Ransomware |
| Danger level | High. Encrypts files and makes critical changes to the system |
| Release date | November 2016 |
| Appended file extensions | _crypt, .encrptd, [file_name].id-[victim’s ID]_steaveiwalker@india.com_, _.id-[id]_locked, .id-[id]_locked_by_krec, .id-[id]_locked_by_perfect, .id-[id]_x3m, .id-[id]_r9oj, .id-[id]_garryweber@protonmail.ch, .id-[id]_steaveiwalker@india.com_, .id-[id]_julia.crown@india.com_, .id-[id]_tom.cruz@india.com_, .id-[id]_CarlosBoltehero@india.com_, .id-[id]_maria.lopez1@india.com_., .ransomed@india.com |
| Names of the ransom note | Readme_encrypted.txt, COMO_ABRIR_ARQUIVOS.txt, HOWTODECRYPTFILES.html |
| Cryptography | AES-256, SHA-256 |
| Symptoms | Inability to open files due to an unknown extension, suspicious processes running in the background, unknown programs installed on the computer, sluggish computer's performance. |
| Data recovery | All versions (apart the newest one) are decryptable with Emsisoft decryptor |
| To delete CryptON, install Reimage and run a full system scan | |
The virus mainly targets English, Russian, and Portuguese[2] computer users, although it can emerge anywhere in the world. Authors of the CryptON ransomware use Remote Desktop Services (RDP)[3] brute force attacks to hack into computers and install malware. The first task the virus does is the deletion of system recovery points in order to make data encryption a complicated procedure. However, malware researchers managed to help victims of ransomware and created a free decryptor.
However, Crypton virus is still in the wild and encrypts all popular files saved on the affected computer. It uses AES-256 encryption cipher to lock files and gets a key with SHA-256. During the encryption, malware can append one of the following file extensions:
- _crypt
- .encrptd
- .id-[id]_locked
- .id-[id]_locked_by_krec
- .id-[id]_locked_by_perfect
- .id-[id]_x3m
- .id-[id]_r9oj
- .id-[id]_garryweber@protonmail.ch
- .id-[id]_steaveiwalker@india.com_
- .id-[id]_julia.crown@india.com_
- .id-[id]_tom.cruz@india.com_
- .id-[id]_CarlosBoltehero@india.com_
- .id-[id]_maria.lopez1@india.com_
- .ransomed@india.com
Once CryptOn finishes its work, it drops .txt and .jpg files on the infected computer. The first one, “Readme_encrypted.txt” file, contains the only line saying “These files are encrypted! Follow the instructions on the screen. ID:XXXXXX.” The rest of the essential information about what happened and how to reclaim the encrypted files is placed directly on the infected computer’s desktop. The message goes as follows:
Attention!
All data on you PC is encrypted!To decrypt your data, you need to pay the amounts shown below.
Please note that the payment confirmation may take some time (from 1 hour to 1 day).
All this time, the program must be running and have an internet connection.
After the successful confirmation of payment – decoding will start automatically.
Read more about how to make a payment using Bitcoin can be found on the internet network.
In destination address – specify the Bitcoin address, listed below.
Keep in mind that the services may charge a fee for the payment, it is important that we must …
It is not recommended to attempt to recover the data, or remove this program! This can lead to a complete
loss of your data forever! To restore data, you must be connected to the Internet.
Status:
Bitcoin address: ***
Payment amount: ***
check payment status
Authors of the ransomware virus does not specify the size of the ransom. It might differ based on the amount and importance of the encrypted files. However, following hackers’ orders is not needed. After CryptOn removal, you can use a free Emsisoft decryptor for recovering affected files.
To remove CryptOn from the machine, you need to obtain professional malware removal program and run a full system scan. We recommend Reimage for this task because it does not only cleans malware but fixes the damage to the system as well.
Select 'Safe Mode with Networking'
Select 'Enable Safe Mode with Networking'
Select 'Safe Mode with Command Prompt'
Select 'Enable Safe Mode with Command Prompt'
Enter 'cd restore' without quotes and press 'Enter'
Enter 'rstrui.exe' without quotes and press 'Enter'
When 'System Restore' window shows up, select 'Next'
Select your restore point and click 'Next'
Click 'Yes' and start system restore
Developers of Crypton created a special campaign to attack computer users in Portugal
At the beginning of 2017, researchers reported about a new version of the malware. It was named CryptON CyptoLocker virus because it seems to be a version of CyptoLocker ransomware, a popular crypto-malware which has been ravaging through computers back in 2014.[4]
This variant is primarily targeted towards Portuguese-speaking users and addresses them in this particular language when explaining the purposes of the attack and terms of data recovery. Following data encryption procedure, the virus drops a ransom note called COMO_ABRIR_ARQUIVOS.txt.
Additionally, it renames the encrypted files like so: [file_name].id-[victim’s ID]_steaveiwalker@india.com_. However, this version of malware is decryptable too. So, if your files got encrypted, you should focus on Crypton ransomware removal instead of paying the ransom.
The newest version of CryptON uses RDS services to get into machines
As reported by ransomware researcher S!Ri[5], the newest version of CryptON virus abuses victim's Remote Desktop Services connected to the internet to hack into the computer. As soon as cybercrooks get hold of the machine, they physically execute the malicious payload.
This variant of CryptON appends .ransomed@india.com file extension to all encrypted files. As usual, files are not damaged, they are just encoded. In order to recover data, users are prompted to contact hackers via ransomed@india.com email, via the support website online (both Tor and non-Tor versions) or the bitmessage. The rest of the HOWTODECRYPTFILES.htm consists of the instructions pointing at how to install Tor browser.
Unfortunately, this version of CryptON, unlike few previous ones, is not decryptable. However, we suggest trying third-party software or restoring files from a backup.
Distribution methods of the ransomware virus
The file-encrypting virus has several versions that are being spread using different techniques, such as:
- Remote Desktop Services (RDP) attacks;
- a fake keygen for EaseUS Data Recovery software;
- malicious spam emails.[6]
To avoid the cyber attack, it is recommended to protect or disable RDP services, avoid downloading cracked or illegal programs and be careful with emails. The latter method is especially popular among developers of ransomware, so you should learn how to distinguish legitimate email from the dangerous one.
Additionally, updating programs and operating system, as well as installing a professional antivirus program, are also important precautions. However, you should still create backups in case something bad happens.
Uninstall CryptON ransomware virus
Security programs like Reimage, Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security are needed for CryptON removal. This cyber threat is capable of installing numerous malicious components, affecting legitimate system processes and hide under the safe-looking file names. So, professional help is needed for cleaning up the computer.
However, you might be unable to remove CryptON with anti-malware easily. The virus might block security tools, but you can still get rid of this problem. All you need to do is to reboot the computer to Safe Mode with Networking as explained below and perform system scan a couple of times.
Once your computer is virus-free, you can use a free CryptON decryptor or use backups for data recovery. Other possible solutions are given below too.
To remove Crypton virus, follow these steps:
Remove Crypton using Safe Mode with Networking
Follow these steps to disable the virus and run autimatic elimination:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove Crypton
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Crypton removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove Crypton using System Restore
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of Crypton. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Crypton from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Crypton, you can use several methods to restore them:
Solution 1: Data Recovery Pro
If you are looking for a quick data recovery solution, we recommend giving Data Recovery Pro a try. Though you should not keep your hopes up and expect a full system recovery. This software might help you recover some but not all of your files. So, check out the instructions below and get to work!
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Crypton ransomware;
- Restore them.
Solution 2: Windows Previous Versions feature
Windows Previous Versions feature is a useful Windows feature that can be used to jump back in time and recover files based on their previous versions. Bare in mind though, you can only use this feature if you had System Restore function enabled before the virus attack. If you did, please follow the steps below:
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Solution 3: ShadowExplorer
Last but not least, you can try ShadowExplorer feature to recover your files. This technique helps to extract the needed information from the Volume Shadow Copies that are stored on the computer. Unfortunately, some viruses delete these backup files and it is impossible use them for the data recovery. If for some reason Crypton leaves these file untouched, you have a chance get your files back using this technique:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Solution 4: Use Emsisoft decryptor tool for CryptOn ransomware
Luckily to all victims of the ransomware, Emsisoft together with virus researcher Fabian Wosar have just presented a decryptor for encrypted files. It can be downloaded from here. To use it properly, you need to start with finding two different versions of the same file – encrypted and the normal version. Then, drag them on the executable file of Crypton decryptor (decrypt_CryptON.exe) and you will receive the key used for encrypting your files. Then, you can use it for recovering all encrypted data.
About the author
If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
References
- ^ What does ransomware mean?. Techopedia. Where IT and business meet.
- ^ SemVirus. SemVirus. Portuguese cyber security news.
- ^ Mark Stockley. Ransomware-spreading hackers sneak in through RDP. Naked Security. Security news.
- ^ Alex Hern. Cryptolocker: what you need to know. The Guardian. News, sport and opinion from the Guardian's global edition.
- ^ S!Ri. #Ransomware CryptON ransomed@india.com 7C3DC9AD79B800F0A31BA3BDAC79F7E4. Twitter. Social Network.
- ^ Phishing & Spoofing eMail Checklist. CGS Blog. Application, learning and autsourcing content.