CryptXXX ransomware / virus (Removal Instructions) - Apr 2017 update

CryptXXX virus Removal Guide

What is CryptXXX ransomware virus?

CryptXXX virus proves to be one of the most prevalent ransomware viruses in 2016 and 2017

CryptXXX virus, which malware analysts often regard to as UltraCrypter and Ransom.CryptXXX,[1] is a cyber threat that was first discovered in the beginning of April, 2016. Since then, it has changed a lot – security researchers have already announced about CryptXXX 2.0, CryptXXX 3 and .crypt versions. No matter how different they are, they all work with the main purpose, which is to encrypt data on victims’ computers and force them to pay ransoms. This virus is also known to be offering limited discounts for its victims – recently, it rolled out a discount during the Christmas holidays. While previous versions of this ransomware had been asking 1.2 Bitcoin from their victims what is equal to $1850, during Christmas holidays victims were allowed to purchase the decrypter for 0.5 BTC.[2] Despite that, security experts advised victims not to buy UltraDeCrypter offered by the developers of this ransomware, because making payments to cyber criminals certainly don’t guarantee that files will be recovered. In case of infiltration of this ransomware, you need to remove CryptXXX from the system with the help of FortectIntego and restore your data with the decrypter presented by security experts. To decrypt your files encrypted by CryptXXX ransomware, use RannohDecrypter created by Kaspersky Labs.[3]

CryptXXX ransomwareResearcher shows the ransom note left by CryptXXX ransomware and the picture that it sets as compromised computer's desktop wallpaper.

As we have mentioned, the ransomware was under the scrutiny since its first appearance, and as it evolved over time, experts followed the changes and currently it is known that CryptXXX ransomware has been switching from one file extension to another. These extensions are used to mark encrypted files, and so far we know that .crypt, .cryp1, and .crypz extensions can be used to identify CryptXXX attack. However, some versions of this ransomware have been leaving the same filenames, so the only difference showing victims that they are affected by a serious virus has been that you can’t open them. Also, the latest version of this dangerous ransomware fails to provide the support service for those who have problems with payments and displays its ransom warning in these files: README.html, README.bmp, README.txt. Needless to say, hackers would not be so engaged in creating new viruses if this activity would not be profitable.[4] In fact, CryptXXX virus became so prevalent that it even competes with viruses like Cerber or Locky. Besides the original CryptXXX ransomware, there are tens of other ransomware developers variants used to extort even more profit from the unsuspecting users. You will find a list of these versions on

Finally, according to some of security experts, CryptXXX also displays characteristics of a Trojan virus and may steal from your BitCoin wallet or collect data and login credentials to be able to connect directly to your bank account. We must warn you that a combination of Trojan and ransomware viruses is especially dangerous, so hesitating to remove such threat from the computer may result in really disastrous consequences. Finally, we must accentuate yet another CryptXXX feature – it is capable of encrypting files stored on DropBox folders mapped to a drive letter on the compromised computer. These files can be restored by right-clicking on each of them, and selecting the previous version of it.

What can I expect from ransomware?

It is almost impossible to indicate when the initial CryptXXX infiltration occurs. You may notice system slowdowns, minor errors but no clear signs of a ransomware infection occur. The victims usually notice the virus at its final stage, when they can no longer access their files. However at this point, it is already too late to revert the damage that has been done to the computer. And all that the users are left with is a ransom note, featuring a few links to the anonymous websites, where they can pay for the file decryption key. Perhaps envying the success of infamous viruses CryptoWall and TeslaCrypt 4.0, the scammers demand around $515 USD per PC, which is a slightly larger sum than regularly demanded by other ransomware. Although, it seems that the greed of cyber criminals is still expanding as they threaten to double the sum if the victim hesitates to pay up. So, if your computer has been taken over by this malware, the first thing you should do is prioritize CryptXXX removal rather than search for the money. Besides, even if you manage to recover your files with a decryption tool sent to you by the cyber criminals, there is a chance that the information you provided while paying the ransom will be used to simply rob you. This is another major reason not to hesitate and remove the virus from your computer as soon as possible.

The list of currently known CryptXXX versions:

CryptXXX 2.0. The developers of the CryptXXX ransomware were unpleasantly surprised when the decryption tool was released. However, criminals gathered their resources once again and struck back with a version 2.0 of the CryptXXX virus. This new version is capable of modifying the legitimate rundll32.exe file by replacing it with the malicious svchost.exe. This executable file is responsible for activating the virus. It is also known that the CryptXXX 2.0 is distributed with the help of Trojans. In particular, the virus is associated with Bedep and Angler infections. Luckily, the security experts managed to come up with CryptXXX 2.0 decryption tool as well, and the virus was terminated once more.

CryptXXX 3.0. Even after the release of the CryptXXX and CryptXXX 2.0 decryption tools, the ransomware creators do not seem to stand back. On the contrary, they are becoming even more dangerous. Recently a CryptXXX version 3.0 was released, in which the cyber criminals seem to have “fixed” the shortcomings of the previous two versions. The virus continues spreading with the help of exploit kits such as Angler as well as employs Reveton malware for the distribution. Fortunately, security experts have already presented a tool that is capable of helping users to decrypt their files without having to pay the ransom. Of course, having in mind the previous success of exterminating this virus, there is a chance that the hackers will come up with new ransomware any time soon.

CryptXXX 4.0. The fourth CryptXXX version has been released right after the leak of decryption keys for .crypz and .cryp1 virus versions. This is an even more powerful virus, which encodes data using RSA4096 encryption. Currently, there are no decrypter for CryptXXX 4 version, so you can’t restore your encrypted files for free. However, you can always use data recovery steps presented by experts to recover files encrypted by CryptXXX 4. We should also add that this malware was first discovered at the end of July 2016 and has been actively distributed via compromised websites that redirect users to Neutrino Exploit Kit.

.crypt file extension virus. Even though this version of the virus is relatively new, it spreads rapidly and the cyber security experts receive numerous reports about its infiltration. After investigating the .crypt file extension virus, it was found that it encrypts the computer data using RZA4096 encryption algorithm. After the needed data is encrypted, the virus drops !Recovery_.htm and !Recover_.txt documents featuring file recovery instructions on the infected folders of the computer. It is not yet clear, though, what specific sum of money is demanded the file decryption, but the cyber criminals threaten to double it if the ransom is not paid in time. We do not recommend following the demands and encourage you to remove the virus from your computer as quick as possible.

Ways of CryptXXX ransomware distribution and tips how to sidestep them

The first signs of the virus have been spotted in the second half of March. It doesn’t seem that CryptXXX has any preferences choosing its victims. Either you reside in Sao Paulo, Aberdeen or Beijing, the virus might unexpectedly appear at the doorstep of your operating system. Proofpoint experts suspect that the same group of cyber criminals which launched Reveton virus are behind this virtual threat as well. Such conclusions have been made after noticing that both Reveton and CryptXXX virus tend to steal the personal victim’s data. Also, both viruses spread via Angler exploit kit.[5] Speaking of exploit kits, IT specialists call them “fileless infections,” due to their sly appearance and ability to leave as few traces as possible on the infected system. Additionally, these exploit kits look for vulnerabilities in the system and seek to install additional malicious content, such as the Bedep Trojan downloader[6] which then can easily download CryptXXX virus on the infected computer. Thus, every user is encouraged to install an anti-spyware application, such as FortectIntego, for it to monitor the system against such malware.

Furthermore, you shouldn’t exclude the possibility that this malware might infect your computer via spam emails. Though more and more hackers tend to shift to distributing ransomware using exploit kits, still a considerable number of viruses disguise themselves in email attachments. Even if you receive an email from a governmental institution, stay alerted and avoid opening it which might contain a suspicious attachment. If it is unwrapped, CryptXXX executes itself and starts encrypting possibly important files which are often formatted as .doc, .xls, .mp4, .mp3, .png, .txt, .jpg, etc. After some time, the ransomware drops de_crypt_readme.bmp, de_crypt_readme.txt, and de_crypt_readme.html files on the system. Within few minutes, a note emerges declaring about the encrypted files. As we have mentioned before, you should hurry to remove CryptXXX.

How to remove CryptXXX virus professionally:

Regarding its complex structure and elaborate transmission method, you should opt for automatic removal right away. Install an anti-spyware tool which should help you to remove CryptXXX. It might be the only option since some versions of ransomware tend to disable anti-virus programs or block access to the websites offering malware removal tools. Thus, after the anti-spyware program finishes the removal process, enable the anti-virus software. Afterward, develop alternatives for data storage. You can either store it on your computer, but you must back it up in order not to lose it in the case of ransomware attack. Additionally, it would be better to use digital data storage devices such as USB sticks. Lastly, if you feel confident enough, you might try removing CryptXXX virus manually. You can find the instructions below.


How do I recover files encrypted by the CryptXXX virus?

Even though the virus exceeds the limits of the regular ransomware viruses, it is not as dangerous as it may seem. The computer specialists have already come up with a CryptXXX decryption tool, which you can use to recover your files. However, if you are infected with the some latest versions of the virus, the decryption tool may not work. Unfortunately, in such a case you need to try other decryption options provided in “Data Recovery” section.

What are the best ways to prevent CryptXXX attack?

You can try preventing CryptXXX attack with sophisticated antivirus software such as FortectIntego but you should keep in mind that viruses are often updated and the antivirus systems sometimes struggle to keep up with the latest versions of the viruses. Consequently, some malicious program may accidentally slip through. A better option is to regularly backup your data and store it on some external drive. This way, you will be able to keep your files safe and recover your files in case of an emergency.

When is it safe to recover the data from a backup after the CryptXXX infection?

If you keep your files on some external drive, you should try recovering the data from a backup ONLY after the CryptXXX virus along with its malicious components is completely removed from your computer. Otherwise, you risk having the files on the backup locked too. Make sure you scan your computer with a sophisticated antivirus tool before initiating any data recovery processes.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of CryptXXX virus. Follow these steps

Manual removal using Safe Mode

Before you begin, you need to reboot your desktop computer/laptop into Safe Mode with Networking. This mode will start your computer with minimum amount of drivers and services required to boot the operating system. This will help you to stop the activity of the virus and remove CryptXXX without a hassle.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove CryptXXX using System Restore

If the method 1 didn’t quite go well and CryptXXX is still on your computer, rely on these instructions.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CryptXXX. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that CryptXXX removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CryptXXX from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Currently, malware researchers have released decryptors for all CryptXXX versions until CryptXXX 4.0. You can find links to download these decryptors below. If you were infected with a version that hasn’t been cracked by ransomware analysts yet, we strongly suggest you stay patient and not pay the ransom to scammers. You would waste your money this way without getting any guarantees to restore your files. 

If your files are encrypted by CryptXXX, you can use several methods to restore them:

Recovering files encrypted by CryptXXX ransomware with the help of Data Recovery Pro

If none of the decryptors provided below work well enough to restore all of your files, it means you have been attacked by an improved version of the described ransomware. In such case, you might want to try alternative data recovery tools. To recover files encrypted by Data Recovery Pro, you need to follow the steps given below. It is a well-known application that can be used to restore damaged files and similar data.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by CryptXXX ransomware;
  • Restore them.

Using Windows Previous Versions feature to recover files encrypted by CryptXXX

If System Restore function was enabled on your computer, you can use Windows Previous Versions feature to recover your encrypted data. For that, follow these steps carefully.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Get help from ShadowExplorer

Usually, ransomware viruses delete Volume Shadow Copies, making it impossible to restore files using these copies. However, there’s nothing to lose, and just like regular programs, the virus can have errors and fail to delete these copies. You can check if VSC are still in place by running a system scan with ShadowExplorer.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use RannohDecrypter created by Kaspersky labs to recover your files for free

Security experts try to keep up with the latest ransomware trends each day. Recently, researchers from Kaspersky presented a free decrypter for CryptXXX, CryptXXX 2.0, and CryptXXX 3.0 versions. To use it for recovering your encrypted files you need to download it from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CryptXXX and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages