Severity scale:  
  (99/100)

CrySiS ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware
12

New versions of CrySiS keep emerging

Examples of Crysis ransomware

CrySiS is a ransomware-type virus that emerged in March 2016. Nevertheless, the decryption tool has been released in November; new versions of crypto-malware continue emerging. The best-known variant of the virus is Dharma ransomware. Due to their similarities, security experts often call the group of these two cyber threats as CrySiS/Dharma ransomware family.

CrySiS ransomware is designed to encrypt photos, music files, business documents, and similar data using a combination of RSA and AES-128 encryption. Originally, the virus appends .the Crysis or .Crysis file extension to all targeted data. However, in November 2017, criminals released a new version of the virus known as Cobra ransomware that appends .cobra file extension.

However, previous versions of malware locked files with these suffixes:

  • .dharma,
  • .locked,
  • .kraken,
  • .darkness,
  • .nochance,
  • .oshit,
  • .xtbl,
  • .wallet,
  • .wallet.lock,
  • .arena,
  • etc.

Following data encryption, CrySiS virus delivers a ransom note. Typically, it creates two files – HTML file that opens automatically on the affected screen, and TXT file that is placed on the desktop. These files might be called Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, etc. Authors of the malware tell victims to contact them in order recover their files:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key the recovery is impossible! To get the decoder and the original key, you need to write us at the email: dalailama2015@protonmail.ch with subject “encryption” stating your id.
Do not waste your and our time on empty threats. Responses to letters only appropriate people are not adequate to ignore. P.S. only in case you do not receive a response from the first email address within 48 hours, please use this alternative email goldman0@india.com.

During the evolution of CrySiS, developers changed contact email addresses as well. Crooks are known for using these emails to communicate with victims:

  • Tree_of_life@india.com, 
  • Decryptallfiles@india.com, 
  • Guardware@india.com,
  • mailrepa.lotos@aol.com.CrySiS,
  • cranbery@colorendgrace.com,
  • etc.

Security experts do not recommend following criminals’ instructions and paying the ransom. [1]Different version of the virus demand to pay from 0.5 to 1 Bitcoin for the possibility to restore encrypted data. However, there’s no guarantee that crooks will keep their promise. Additionally, the CrySiS, as well as some variants, are decryptable. Therefore, paying the ransom is a waste of money.

Before starting data recovery procedure, you have to remove CrySiS from the PC. It’s necessary because while malware remains on the system, it can easily encrypt new files. Besides, it also makes various changes to the system and makes your computer vulnerable and slow.

For CrySiS removal we recommend using Reimage. This malware removal program can quickly and safely terminate malware-related entries from the computer. Of course, you can choose your preferred professional software too. But if you encounter some difficulties, follow the guide at the end of the article.

Crysis Master Key leaked: free decryptor is already here!

We have some great news for victims of CrySiS ransomware and possibly for all victims infected with XTBL ransomware variants (these viruses typically append [victim's ID].[email@address].xtbl file extensions to encrypted data). Shockingly, an unknown individual has registered on one security-related Internet forum and shared master keys[2] for all variants of Crysis ransomware in November 2016.

The individual shared keys in the form of a header file, which gives an idea that he or she is very closely related to this ransomware project or even is one of its developers. .XTBL viruses are known to be greedy and ask for enormous ransoms, so we are sure that such news is going to bring a lot of joy for victims who have lost their files in the past.

If you are a victim of the Crysis ransomware project, we hope that you still have encoded files on the computer, because malware experts have rapidly used leaked keys to update a Crysis decryptor.[3] You can find its download link in data recovery instructions under this post. Good luck and stay safe!

Criminals switched from malicious spam emails to RDP attacks

Once Crysis malware emerged, it was distributed via malicious spam emails that included some infected attachment. If a victim was tricked into opening it, the malicious payload was dropped on the system.

However, in September 2016,[4] malware researchers reported about a new method which CrySiS ransomware uses to infiltrate computers. The virus now uses Remote Desktop Protocol (RDP) to infiltrate computers instead of the previously practiced distribution using spam emails and deceptive software updates. The first attacks were spotted in Australia and New Zealand.

This distribution strategy allows searching the Internet for unprotected RDP channels and connecting to them. The computer admin’s password required to do that can be extracted by brute-forcing malicious attacks and finding a crack in the system.

What is especially concerning is that after gaining access to the Remote Desktop Protocol, the cyber criminals can install CrySiS not only on the hacked computer but on other devices connected via the same network (printers, routers, NAS, etc.) or even brute-force their way into the nearby computers.

This technique is not unprecedented, though. It has been used by the DMA Locker, Apocalypse, and several other ransomware and was proven successful. The ever-developing viruses are yet another reminder of the importance of keeping ourselves protected [5].

Furthermore, in February 2017, TrendMicro research team[6] has revealed some staggering statistics, indicating that Crysis has doubled the number of brute force attacks against corporations and institutions just within the month of January 2017.

The parasite which had previously targeted mainly Australia and New Zealand is now expanding to the rest of the world, and the experts keep recording a growing number of attacks in Europe and US. The virus especially focuses on healthcare institutions and looks for ways to infiltrate their inner networks. Brazil, Argentina, and Turkey suffered from the malware the most.

In particular, the attacks are carried out by searching for open RDP ports and then identifying whether the devices connected to these networks are some corporate computers. If they find that this is the case, hackers continue the attack and brute-force their way into the targeted computers by cracking the login name and password.

Tips to avoid ransomware attack

In order to avoid infiltration of the ransomware, users should: [7].

  • Protect their computers with a reliable anti-virus and anti-spyware program.
  • Enabling firewall.
  • Install system and software updates regularly.
  • Always check for the software updates on the official websites rather than downloading them from random sites.
  • Do not open suspicious emails, especially spam.
  • Avoid visiting obscure and unreliable file sharing websites.
  • Refrain from downloading unknown software on your computer.

CrySiS removal instructions

Please, do not try to remove CrySiS ransomware manually. It’s a complex cyber threat that makes numerous changes to the system and might inject malicious code into legit system processes. Therefore, you should rely on reputable security software and let it remove this cyber threat without causing more damage to the system.

For CrySiS removal we recommend using Reimage or Malwarebytes Anti Malware. However, there might appear obstacles which hinder successful elimination. But our team of experts has prepared instructions which should help you tame the virus and initiate the full system scan. Please check them below.

But before you do run the scan, make sure that your antivirus and malware removal utilities are updated to their latest version. Otherwise, the software may not be able to detect and delete CrySiS from your system, so the virus will continue rampaging on your computer.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CrySiS ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CrySiS ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual CrySiS virus Removal Guide:

Remove CrySiS using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Reboot computer to Safe Mode in order to succeed in automatic ransomware elimination:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CrySiS

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CrySiS removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CrySiS using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CrySiS. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CrySiS removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CrySiS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

What you will be offered — as a CrySiS ransomware victim — is to purchase a decryption tool which will supposedly solve all of your problems and recover the files that it has locked. DO NOT do that! With the cyber criminals, you have no guarantees that you will receive the decryption key or that it will be able to decrypt the locked files. You better eliminate the virus from your PC using Reimage and use the data recovery methods provided below to try redeeming at least a small portion of your precious files.

If your files are encrypted by CrySiS, you can use several methods to restore them:

Data Recovery Pro data recovery method

Data Recovery Pro, as the title of this software already suggests, is a program designed to provide the users with professional data recovery service. Though you should not expect a full system recovery, you have nothing to lose. Try out Data Recovery Pro following these guidelines: 

Windows Previous Versions data recovery method

Windows Previous Versions is a system Windows OS offers to the users who want to recover some deleted files, but it may as well work for the data recovery after ransomware attack. This technique is simple. In a short guide below will learn how to restore Windows Previous Versions. NOTE: this method only valid if the System Restore function is enabled. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer data recovery method

The third data recovery method employs ShadowExplorer software and gives ransomware victims a chance to redeem some of their data using Volume Shadow Copies, if, of course, the virus has not deleted them from the computer during the system infiltration. To check if data recovery is possible, follow these steps here:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Crysis Decryptor

You can recover all your files for free using a special decryption software that has been updated on November 2016 after one stranger leaked Crysis Master keys online. You can download the decryptor here. Make sure you use 1.17.8.0 version because only it is capable of restoring files encrypted by CrySiS. Also remember that you must remove the virus using an anti-malware tool before installing this decryption tool on the system, otherwise it won't be possible to start the decryption procedure. Once you launch the RakhniDecryptor, click Start and select an encrypted Word, PDF, Excel, image or audio file (DO NOT use a .txt file!) and click Open. Then the decryptor will start system scan and decrypt all of the encrypted files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CrySiS and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

Removal guides in other languages


  • Desperate

    Im literally in crisis with this one… I cannot remove it and it keeps encrypting more and more files!!

  • ZAyn

    THANK YOU!!! I HAVE DECRYPTED ALL MY FILES! OH MY GOD

  • Sicilia

    Finally!!!!!!!! I waited so long! So glad that Ive created a copy on encrypted data and didnt delete it!!