Severity scale:  

CrySiS ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

Main facts regarding Crysis virus

CrySiS virus is a dangerous ransomware that was presented almost half a year ago. Just like any other file-encrypting malware, it can encrypt your files and leave you with no photos, music files, business documents, and similar data. If you are infected and want to decrypt files with CrySis file extension, you can be offered by cyber criminals to pay a ransom that varies from $400 to $1200. However, we do NOT encourage you thinking about this solution as there is no guarantee that it will help you decrypt your blocked files. In any case, brush away the thoughts of paying any money to the hackers as you will only encourage them to continue their crimes [1]. Instead, you should make CrySiS removal your current priority because there is no way that this ransomware will leave your computer peacefully – it is a very aggressive malware that is believed to surpass Teslacrypt virus [2]. Besides, in November 2016, a free decryption tool has been released that can restore encrypted files, so do not even think about wasting your money! However, you need to remove this ransomware before you start the recovery procedure.

After being presented in the beginning of June, the ransomware has been spreading rapidly across the world. It is known that the threat targets a variety of files. It can encode documents, media, spreadsheets, PDFs, etc. After that, it marks each file by changing its format into,,, and However, you should beware of these extensions we well: .CrySis, .locked, .kraken, .darkness, .nochance, .oshit. They are the main signs showing that you are dealing with ransomware. The threat employs AES and RSA algorithms to encode the data. Thus, decrypting the information becomes even a bigger challenge. These encryption algorithms rely on two different keys, the public and the private one. Since they are mathematically interrelated, the only way to decode the files which were locked by public key used is to obtain the private one. However, just like we have mentioned before, free decryption keys have been leaked recently[3], which allowed malware analysts to create an universal Crysis decryption tool.

Once the virus finishes encrypting the files, it demands to pay a considerable amount of money for the private key. Usually, the victims are so desperate about unlocking their files that they decide to pay the ransom in exchange for this key. As we have already said, you should rather consider the ways to remove CrySiS rather than think of making the transaction. Here is the example of a ransom note:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key the recovery is impossible! To get the decoder and the original key, you need to write us at the email: with subject “encryption” stating your id.
Do not waste your and our time on empty threats. Responses to letters only appropriate people are not adequate to ignore. P.S. only in case you do not receive a response from the first email address within 48 hours, please use this alternative email

According to the reports of some attacked users, the required amount of money varies from $100 to $700. If you saw such a message on your computer, do not rush to follow the demands. If you are lucky to escape the virus, it does not mean that it will give you the immunity from the future threats. After the virus is completely removed, use the decryption tool presented below this post and consider backing up your most valuable data.

September 2016 update: new CrySiS distribution techniques emerge

A new method which CrySiS ransomware uses to infiltrate computers has been spotted. Currently, it is only said to affect the computers located in Australia and New Zealand, but we can as well expect this technique to spread to the rest of the world. So what has changed exactly? The virus now uses Remote Desktop Protocol (RDP) to infiltrate computers instead of the previously practiced distribution using spam emails and deceptive software updates. This means that to infect a system; the virus should now search the Internet for unprotected RDP channels and connect to them. The computer admin’s password required to do that can be extracted by brute-forcing malicious attacks and finding a crack in the system. What is especially concerning is that after gaining access to the Remote Desktop Protocol, the cyber criminals can install CrySiS not only on the hacked computer but on other devices connected via the same network (printers, routers, NAS, etc.) or even brute-force their way into the nearby computers. This technique is not unprecedented, though. It has been used by the DMA Locker, Apocalypse, and several other ransomware and was proven successful. The ever-developing viruses is yet another reminder of the importance of keeping ourselves protected [4]. It is never too late to ensure your network and devices are properly equipped and ready to withstand malware attacks.

February 2017 update: CrySiS brute-force attacks doubled in January

The TrendMicro research team has revealed some staggering statistics, indicating that Crysis has doubled the number of brute force attacks against corporations and institutions just within the month of January 2017. The parasite which had previously targeted mainly Australia and New Zealand is now expanding to the rest of the world, and the experts keep recording a growing number of attacks in Europe and US. Crysis especially focuses on healthcare institutions and looks for ways to infiltrate their inner networks. In particular, the attacks are carried out by searching for open RDP ports and then identifying whether the devices connected to these networks are some corporate computers. If they find that this is the case, hackers continue the attack and brute-force their way into the targeted computers by cracking the login name and password. Brute-forced RDP attacks are not a new strategy. Unfortunately, there is little chance of recovery after such attacks. Although recently virus researchers have released Crysis decryption keys, the virus developers quickly patched up these vulnerabilities and most of these keys are not obsolete. Thus, the enterprises are urged to backup their data so that they won’t have to pay massive ransoms after their networks get locked by ransomware.

Protect yourself from CrySiS

CrySiS malware infects systems deceptively. Typically, it infiltrates them via an email attachment. Once the virus is in the system, it will immediately start scanning it for the predetermined files which are then encrypted with RSA and AES-128 ciphers. After the encryption, the files become inaccessible. Unfortunately, the victims notice the virus too late when it has already spread its malicious net all across your operating system. CrySiS drops Help_Decrypt_FILES.bmp, Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt files on the computer, in which the cyber criminals give some details about the data recovery process.

It is always easier to prevent CrySiS ransomware attack rather than deal with its consequences after it ravages your operating system. The security experts recommend strengthening the computer’s security, by combining an anti-virus and anti-spyware program, for example, Reimage. First and foremost, it is crucial to obtain a reliable antivirus software and to make sure it is watching your back at all times. Secondly, a powerful firewall may also be useful in stopping the cyber criminals from breaching your network. In relation to this, you should not forget to follow new system updates and install them on time. Finally, you should become security-cautious yourself [5]. Avoid visiting obscure and unreliable file sharing websites. In some cases, CrySiS virus might appear on the computer after you installed a cracked game or surfed highly insecure domain. What is more, refrain from downloading unknown software on your computer. Always check for the software updates on the official websites rather than downloading them from random websites.

Update November 2016. Crysis Master Key leaked on the Internet: now victims can safely decrypt their files for free!

We have some great news for victims of CrySiS ransomware and possibly for all victims infected with XTBL ransomware variants (these viruses typically append [victim’s ID].[email@address].xtbl file extensions to encrypted data). Shockingly, an unknown individual has registered on one security-related Internet forum and shared master keys for all variants of Crysis ransomware. The individual shared keys in the form of a header file, which gives an idea that he or she is very closely related to this ransomware project or even is one of its developers. .XTBL viruses are known to be greedy and ask for enormous ransoms, so we are sure that such news is going to bring a lot of joy for victims who have lost their files in the past. If you are a victim of the Crysis ransomware project, we hope that you still have encoded files on the computer, because malware experts have rapidly used leaked keys to update a Crysis decryptor. You can find its download link in data recovery instructions under this post. Good luck and stay safe!

How can I effectively remove CrySiS?

Regardless of whether you are have already experience in eliminating cyber threats or not, CrySiS virus should be taken seriously. Ransomware viruses are known for interfering with antivirus tools. In other words, the anti-virus application might not work properly. Consequently, there might appear obstacles which hinder successful CrySiS removal. Our team of experts has prepared instructions which should help you tame the virus and initiate the full system scan. But before you do run the scan, make sure that your antivirus and malware removal utilities are updated to their latest version. Otherwise, the software may not be able to detect and delete CrySiS from your system, so the virus will continue rampaging on your computer.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove CrySiS ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CrySiS ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual CrySiS virus Removal Guide:

Remove CrySiS using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CrySiS

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CrySiS removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CrySiS using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CrySiS. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CrySiS removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CrySiS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

What you will be offered — as a CrySiS ransomware victim — is to purchase a decryption tool which will supposedly solve all of your problems and recover the files that it has locked. DO NOT do that! With the cyber criminals, you have no guarantees that you will receive the decryption key or that it will be able to decrypt the locked files. You better eliminate the virus from your PC using Reimage and use the data recovery methods provided below to try redeeming at least a small portion of your precious files.

If your files are encrypted by CrySiS, you can use several methods to restore them:

Data Recovery Pro data recovery method

Data Recovery Pro, as the title of this software already suggests, is a program designed to provide the users with professional data recovery service. Though you should not expect a full system recovery, you have nothing to lose. Try out Data Recovery Pro following these guidelines: 

Windows Previous Versions data recovery method

Windows Previous Versions is a system Windows OS offers to the users who want to recover some deleted files, but it may as well work for the data recovery after ransomware attack. This technique is simple. In a short guide below will learn how to restore Windows Previous Versions. NOTE: this method only valid if the System Restore function is enabled. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer data recovery method

The third data recovery method employs ShadowExplorer software and gives ransomware victims a chance to redeem some of their data using Volume Shadow Copies, if, of course, the virus has not deleted them from the computer during the system infiltration. To check if data recovery is possible, follow these steps here:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Crysis Decryptor

You can recover all your files for free using a special decryption software that has been updated on November 2016 after one stranger leaked Crysis Master keys online. You can download the decryptor here. Make sure you use version because only it is capable of restoring files encrypted by CrySiS. Also remember that you must remove the virus using an anti-malware tool before installing this decryption tool on the system, otherwise it won’t be possible to start the decryption procedure. Once you launch the RakhniDecryptor, click Start and select an encrypted Word, PDF, Excel, image or audio file (DO NOT use a .txt file!) and click Open. Then the decryptor will start system scan and decrypt all of the encrypted files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CrySiS and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages

  • Desperate

    Im literally in crisis with this one… I cannot remove it and it keeps encrypting more and more files!!

  • ZAyn


  • Sicilia

    Finally!!!!!!!! I waited so long! So glad that Ive created a copy on encrypted data and didnt delete it!!