Submit article

Severity scale:

(99/100)

Crypton ransomware virus. How to remove? (Uninstall guide)

removal by Lucia Danes - - 2017-03-09 Also known as CryptON | Type: Ransomware

Add comment

1 solved questions

6064 views

1 2 ❯

Crypton ransomware namesake shows up on the web in 2017

Crypton ransomware virus has been brought to the security community’s attention in the beginning of November 2016. After analyzing the initial virus characteristics, experts quickly made the conclusion that this ransomware ^[1] must be another version of Hidden Tear project ^[2]. However, these presumptions that Crypton ransomware was based on this formerly educational project were later debunked. Keeping in mind the fact that ransomware developers are very creative people when it comes to naming their malicious creations^[3], there is no surprise that, in the beginning of 2017, virus has gained a namesake — the CryptON virus. Form the first sight, it does not seem related to the initial malware.

The ransomware is thought to be a new strain of CyptoLocker ransomware, a popular crypto-malware which has been ravaging through computers back in 2014 ^[4]. To distinguish it from the initial malware, the experts usually refer to this parasite as CryptON CyptoLocker virus. There are some distinct structural differences between the two as well. For instance, virus is primarily targeted towards Portuguese-speaking users and addresses them in this particular language when explaining the purposes of the attack and terms of data recovery. So, instead of the ransom note Readme_encrypted.txt used by Crypton virus, this Cryptolocker version drops COMO_ABRIR_ARQUIVOS.txt on all of the affected computer folders. Besides, it also renames the encrypted files like so: [file_name].id-[victim’s ID]_steaveiwalker@india.com_. Next to clear differences combining these two viruses, there is a major difference between these two ransomware threats – the newer, CryptOn ransomware, is already decryptable. Thanks to Emsisoft, now you can recover your encrypted files.

Main fatcs about Crypton

No matter that CryptOn has been known for several years, this program still leaves a lot of blank spaces. For instance, we have no knowledge about its initial origin or information about whether it belongs to some other established ransomware family or spreads individually. We are sure about, though, is that this virus is malicious, infiltrates computers by deception, locks the containing files and demands cash for their return. These are the primary reasons why Crypton removal is absolutely crucial. Though it may not turn out to be that easy. Ransomware viruses usually are designed to resist removal attempts ^[5], so if you are using Reimage or any other anti-malware utility for the removal, you may encounter troubles getting it running. If you are in such a situation already, do not panic. Keep reading this article, and you will find all the information needed to decontaminate and remove the virus.

Crypton ransomware virus image — CryptON ransomware ransomware is a malicious infection which locks computer files and drops a ransom note asking for money. You can see what this ransom note says in the picture above.

**Method 1. (Safe Mode method)**
Select 'Safe Mode with Networking'

**Method 1. (Safe Mode method)**
Select 'Enable Safe Mode with Networking'

**Method 2. (System Restore method)**
Select 'Safe Mode with Command Prompt'

**Method 2. (System Restore method)**
Select 'Enable Safe Mode with Command Prompt'

**Method 2. (System Restore method)**
Enter 'cd restore' without quotes and press 'Enter'

**Method 2. (System Restore method)**
Enter 'rstrui.exe' without quotes and press 'Enter'

**Method 2. (System Restore method)**
When 'System Restore' window shows up, select 'Next'

**Method 2. (System Restore method)**
Select your restore point and click 'Next'

**Method 2. (System Restore method)**
Click 'Yes' and start system restore

Slide 1 of 10

Once the virus infiltrates a computer, it starts scanning it for certain file types that are included in its target list. The located files are then encrypted using a public encryption key and .crypt extensions are appended to the endings of the affected filenames. This may all seem very confusing after finding such a mess on your computer, so the extortionists have planned everything out. Once CryptOn virus finishes its work, it drops .txt and .jpg files on the infected computer. The first one, “Readme_encrypted.txt” file, contains the only line saying “These files are encrypted! Follow the instructions on the screen. ID:XXXXXX.” The rest of the essential information about what happened and how to reclaim the encrypted files is placed directly on the infected computer’s desktop. The message goes as follows:

Attention!
All data on you PC is encrypted!

To decrypt your data, you need to pay the amounts shown below.
Please note that the payment confirmation may take some time (from 1 hour to 1 day).
All this time, the program must be running and have an internet connection.
After the successful confirmation of payment – decoding will start automatically.
Read more about how to make a payment using Bitcoin can be found on the internet network.
In destination address – specify the Bitcoin address, listed below.
Keep in mind that the services may charge a fee for the payment, it is important that we must …
It is not recommended to attempt to recover the data, or remove this program! This can lead to a complete
loss of your data forever! To restore data, you must be connected to the Internet.
Status:
Bitcoin address: ***
Payment amount: ***
check payment status

Though the ransom amount is not indicated in the note, according to the users’ reports, it may vary. Regardless of the sum the hackers demand, we strongly advise you against paying up. It is much safer to simply remove CryptOn and try to recover the encrypted data in some other way. Besides, you will not even have to look for these alternative data recovery approaches as we have conveniently provided them at the end of this article.

How does this virus reach computers?

Crypto-ransomware like Crypton are usually distributed via malicious spam campaigns. These campaigns make sure that you receive virus payload directly into your email inbox. Of course, some of such fraudulent emails carrying attached ransomware payloads are placed in the “Spam” folder after being determined as suspicious by your email provider. That’s why you have to be careful when browsing through this folder. Nevertheless, Crypton has much more means of entering computers. It can be installed via fake software updates, for instance. Thus, to avoid fake software updates, it is recommended to regularly check if your software is up-to-date and, if needed, upgrade it with the help of official and reputable sources.

How can I remove Crypton ransomware?

It goes without saying that Crypton virus must be banished from the computer as soon as possible. It is a destructive application which does not limit itself to locking only the files that are contained on the computer at the time of infection. Every time the computer is rebooted, the virus will encrypt all of the newly created files. Thus, if you want to protect your future data, you should hurry up with Crypton removal. Reboot your computer in Safe Mode with Networking and download a professional antivirus utility on your computer. If you already have one installed, run a full system scan with it and allow it to remove Crypton automatically. Good luck!

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Crypton ransomware virus you agree to our privacy policy and agreement of use.

do it now!

Download
Reimage (remover) Happiness
Guarantee Download
Reimage (remover) Happiness
Guarantee

Compatible with Microsoft Windows Compatible with OS X

What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.

(917) 341-2281

Reimage is recommended to uninstall Crypton ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

read press mentions »

Manual Crypton virus Removal Guide:

Remove Crypton using Safe Mode with Networking

Remove it now

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Crypton

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Crypton removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Crypton using System Restore

Remove it now

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Crypton. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Crypton removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Crypton from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Crypton, you can use several methods to restore them:

Recover your data

Solution 1: Data Recovery Pro

If you are looking for a quick data recovery solution, we recommend giving Data Recovery Pro a try. Though you should not keep your hopes up and expect a full system recovery. This software might help you recover some but not all of your files. So, check out the instructions below and get to work!

Download Data Recovery Pro (https://www.2-spyware.com/download/data-recovery-pro-setup.exe);
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by Crypton ransomware;
Restore them.

Solution 2: Windows Previous Versions feature

Windows Previous Versions feature is a useful Windows feature that can be used to jump back in time and recover files based on their previous versions. Bare in mind though, you can only use this feature if you had System Restore function enabled before the virus attack. If you did, please follow the steps below:

Find an encrypted file you need to restore and right-click on it;
Select “Properties” and go to “Previous versions” tab;
Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Solution 3: ShadowExplorer

Last but not least, you can try ShadowExplorer feature to recover your files. This technique helps to extract the needed information from the Volume Shadow Copies that are stored on the computer. Unfortunately, some viruses delete these backup files and it is impossible use them for the data recovery. If for some reason Crypton leaves these file untouched, you have a chance get your files back using this technique:

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Solution 4: Use Emsisoft decryptor tool for CryptOn ransomware

Luckily to all victims of CryptOn ransomware, Emsisoft together with virus researcher Fabian Wosar have just presented a decryptor for encrypted files. It can be downloaded from here. To use it properly, you need to start with finding two different versions of the same file – encrypted and the normal version. Then, drag them on the executable file of Crypton decryptor (decrypt_CryptON.exe) and you will receive the key used for encrypting your files. Then, you can use it for recovering all encrypted data.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Crypton and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References

^ What does ransomware mean?. Techopedia. Where IT and business meet.
^ Jornt van der Wiel. Hidden tear and its spin offs. Securelist. Information about Viruses, Hackers and Spam.
^ Ransomware with ridiculous names started appearing on the web. Esolutions. Blog about the latest security news.
^ Alex Hern. Cryptolocker: what you need to know. The Guardian. News, sport and opinion from the Guardian's global edition.
^ Ransomware facts. Microsoft malware protection center.

This entry was posted on 2017-03-09 at 03:25 and is filed under Ransomware, Viruses.