Severity scale:

(99/100)

Remove Crypton ransomware / virus (Bonus: Decryption Steps) - updated Sep 2019

removal by Lucia Danes - - 2019-09-01 | Type: Ransomware

Add comment

2 solved questions

11948 views

Crypton is a file encrypting malware that tries to persuade victims to pay ransom

Crytpon virus attack

Questions about Crypton ransomware virus

How to decrypt Crypton ransomware? 16/05/18 1
Strange PC behavior after Crypton removal 18/11/16 1

Crypton ransomware^[1] was first spotted in November 2016. Since then, it keeps coming back with different file extensions and improved code. The crypto-malware uses a complicated encryption algorithm to lock up documents, audio, video, and other files. Each version of the virus adds a different file appendix, such as _crypt, .encrptd, and [file_name].id-[victim’s ID] _steaveiwalker@india.com_. The latest variant of Crypton was spotted in May 2018, and it appends .ransomed@india.com extension to all files. Regardless of the version, malware always drops a ransom note either in .txt or .html format, which includes instructions on how to pay hackers in Bitcoin cryptocurrency and reclaim encoded data.

Summary
Name	Crypton
Type	Ransomware
Danger level	High. Encrypts files and makes critical changes to the system
Release date	November 2016
Appended file extensions	_crypt, .encrptd, [file_name].id-[victim’s ID]_steaveiwalker@india.com_, _.id-[id]_locked, .id-[id]_locked_by_krec, .id-[id]_locked_by_perfect, .id-[id]_x3m, .id-[id]_r9oj, .id-[id]_garryweber@protonmail.ch, .id-[id]_steaveiwalker@india.com_, .id-[id]_julia.crown@india.com_, .id-[id]_tom.cruz@india.com_, .id-[id]_CarlosBoltehero@india.com_, .id-[id]_maria.lopez1@india.com_., .ransomed@india.com
Names of the ransom note	Readme_encrypted.txt, COMO_ABRIR_ARQUIVOS.txt, HOWTODECRYPTFILES.html
Cryptography	AES-256, SHA-256
Symptoms	Inability to open files due to an unknown extension, suspicious processes running in the background, unknown programs installed on the computer, sluggish computer's performance.
Data recovery	All versions (apart the newest one) are decryptable with Emsisoft decryptor
To delete CryptON, install Reimage and run a full system scan

The virus mainly targets English, Russian, and Portuguese^[2] computer users, although it can emerge anywhere in the world. Authors of the CryptON ransomware use Remote Desktop Services (RDP)^[3] brute force attacks to hack into computers and install malware. The first task the virus does is the deletion of system recovery points in order to make data encryption a complicated procedure. However, malware researchers managed to help victims of ransomware and created a free decryptor.

CryptON encrypted files

However, Crypton virus is still in the wild and encrypts all popular files saved on the affected computer. It uses AES-256 encryption cipher to lock files and gets a key with SHA-256. During the encryption, malware can append one of the following file extensions:

_crypt
.encrptd
.id-[id]_locked
.id-[id]_locked_by_krec
.id-[id]_locked_by_perfect
.id-[id]_x3m
.id-[id]_r9oj
.id-[id]_garryweber@protonmail.ch
.id-[id]_steaveiwalker@india.com_
.id-[id]_julia.crown@india.com_
.id-[id]_tom.cruz@india.com_
.id-[id]_CarlosBoltehero@india.com_
.id-[id]_maria.lopez1@india.com_
.ransomed@india.com

Crypton ransom note

Once CryptOn finishes its work, it drops .txt and .jpg files on the infected computer. The first one, “Readme_encrypted.txt” file, contains the only line saying “These files are encrypted! Follow the instructions on the screen. ID:XXXXXX.” The rest of the essential information about what happened and how to reclaim the encrypted files is placed directly on the infected computer’s desktop. The message goes as follows:

Attention!
All data on you PC is encrypted!

To decrypt your data, you need to pay the amounts shown below.
Please note that the payment confirmation may take some time (from 1 hour to 1 day).
All this time, the program must be running and have an internet connection.
After the successful confirmation of payment – decoding will start automatically.
Read more about how to make a payment using Bitcoin can be found on the internet network.
In destination address – specify the Bitcoin address, listed below.
Keep in mind that the services may charge a fee for the payment, it is important that we must …
It is not recommended to attempt to recover the data, or remove this program! This can lead to a complete
loss of your data forever! To restore data, you must be connected to the Internet.
Status:
Bitcoin address: ***
Payment amount: ***
check payment status

Crypton Russian version

Authors of the ransomware virus does not specify the size of the ransom. It might differ based on the amount and importance of the encrypted files. However, following hackers’ orders is not needed. After CryptOn removal, you can use a free Emsisoft decryptor for recovering affected files.

To remove CryptOn from the machine, you need to obtain professional malware removal program and run a full system scan. We recommend Reimage for this task because it does not only cleans malware but fixes the damage to the system as well.

Crypton ransomware virus image
CryptON ransomware ransomware is a malicious infection which locks computer files and drops a ransom note asking for money. You can see what this ransom note says in the picture above.

Developers of Crypton created a special campaign to attack computer users in Portugal

At the beginning of 2017, researchers reported about a new version of the malware. It was named CryptON CyptoLocker virus because it seems to be a version of CyptoLocker ransomware, a popular crypto-malware which has been ravaging through computers back in 2014.^[4]

This variant is primarily targeted towards Portuguese-speaking users and addresses them in this particular language when explaining the purposes of the attack and terms of data recovery. Following data encryption procedure, the virus drops a ransom note called COMO_ABRIR_ARQUIVOS.txt.

Crypton ransomware Portuguese version

Additionally, it renames the encrypted files like so: [file_name].id-[victim’s ID]_steaveiwalker@india.com_. However, this version of malware is decryptable too. So, if your files got encrypted, you should focus on Crypton ransomware removal instead of paying the ransom.

Crypton decryptor

The newest version of CryptON uses RDS services to get into machines

As reported by ransomware researcher S!Ri^[5], the newest version of CryptON virus abuses victim's Remote Desktop Services connected to the internet to hack into the computer. As soon as cybercrooks get hold of the machine, they physically execute the malicious payload.

This variant of CryptON appends .ransomed@india.com file extension to all encrypted files. As usual, files are not damaged, they are just encoded. In order to recover data, users are prompted to contact hackers via ransomed@india.com email, via the support website online (both Tor and non-Tor versions) or the bitmessage. The rest of the HOWTODECRYPTFILES.htm consists of the instructions pointing at how to install Tor browser.

Unfortunately, this version of CryptON, unlike few previous ones, is not decryptable. However, we suggest trying third-party software or restoring files from a backup.

Crypton - ransomed@india.com version

Distribution methods of the ransomware virus

The file-encrypting virus has several versions that are being spread using different techniques, such as:

Remote Desktop Services (RDP) attacks;
a fake keygen for EaseUS Data Recovery software;
malicious spam emails.^[6]

To avoid the cyber attack, it is recommended to protect or disable RDP services, avoid downloading cracked or illegal programs and be careful with emails. The latter method is especially popular among developers of ransomware, so you should learn how to distinguish legitimate email from the dangerous one.

Additionally, updating programs and operating system, as well as installing a professional antivirus program, are also important precautions. However, you should still create backups in case something bad happens.

Uninstall CryptON ransomware virus

Security programs like Reimage, SpyHunter 5Combo Cleaner or Malwarebytes are needed for CryptON removal. This cyber threat is capable of installing numerous malicious components, affecting legitimate system processes and hide under the safe-looking file names. So, professional help is needed for cleaning up the computer.

However, you might be unable to remove CryptON with anti-malware easily. The virus might block security tools, but you can still get rid of this problem. All you need to do is to reboot the computer to Safe Mode with Networking as explained below and perform system scan a couple of times.

Once your computer is virus-free, you can use a free CryptON decryptor or use backups for data recovery. Other possible solutions are given below too.

Offer

do it now!

Download
Reimage (remover) Happiness
Guarantee Download
Reimage (remover) Happiness
Guarantee

Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Alternative Software

Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

Download Combo Cleaner Review »

To remove Crypton virus, follow these steps:

Remove Crypton using Safe Mode with Networking

Follow these steps to disable the virus and run autimatic elimination:

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Crypton

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Crypton removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Crypton using System Restore

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Crypton. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Crypton removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Crypton from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Crypton, you can use several methods to restore them:

Recover your data

Solution 1: Data Recovery Pro

If you are looking for a quick data recovery solution, we recommend giving Data Recovery Pro a try. Though you should not keep your hopes up and expect a full system recovery. This software might help you recover some but not all of your files. So, check out the instructions below and get to work!

Download Data Recovery Pro;
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by Crypton ransomware;
Restore them.

Solution 2: Windows Previous Versions feature

Windows Previous Versions feature is a useful Windows feature that can be used to jump back in time and recover files based on their previous versions. Bare in mind though, you can only use this feature if you had System Restore function enabled before the virus attack. If you did, please follow the steps below:

Find an encrypted file you need to restore and right-click on it;
Select “Properties” and go to “Previous versions” tab;
Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Solution 3: ShadowExplorer

Last but not least, you can try ShadowExplorer feature to recover your files. This technique helps to extract the needed information from the Volume Shadow Copies that are stored on the computer. Unfortunately, some viruses delete these backup files and it is impossible use them for the data recovery. If for some reason Crypton leaves these file untouched, you have a chance get your files back using this technique:

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Solution 4: Use Emsisoft decryptor tool for CryptOn ransomware

Luckily to all victims of the ransomware, Emsisoft together with virus researcher Fabian Wosar have just presented a decryptor for encrypted files. It can be downloaded from here. To use it properly, you need to start with finding two different versions of the same file – encrypted and the normal version. Then, drag them on the executable file of Crypton decryptor (decrypt_CryptON.exe) and you will receive the key used for encrypting your files. Then, you can use it for recovering all encrypted data.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Crypton and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions