Severity scale:  

Remove CrySiS ransomware / virus (Removal Instructions) - updated Jan 2019

removal by Julie Splinters - - | Type: Ransomware

CrySiS ransomware – a relatively old file locking malware that should not be ignored

Examples of Crysis ransomware

Questions about CrySiS ransomware virus

CrySiS is a ransomware virus that was spotted back in March 2016 and is still active today. Since its initial release, malware had multiple updates, changing the file extension and the contact email to a different one. The original version added .CrySis appendix and dropped How to decrypt your files.txt, which asked users to pay 2.5 – 3 Bitcoin for file recovery. The newest version, released at the end of December 2018, appends .bizer extension and asks users to contact hackers via the While most of older releases are decryptable, new versions are still not cracked by experts, although paying crooks is not advised.

Name CrySiS
Type Ransomware
Related Dharma ransomware
Encryption algorithm RSA and AES-128
File extension .CrySis, .xtbl, ,cobra, and many others
Ransom size Varies; the original version asked for 2.5 – 3 BTC
Decryptable? Some versions
Removal Use reputable security software like Reimage Reimage Cleaner or SpyHunter 5Combo Cleaner

However, the best-known versions of CrySis virus are Dharma ransomware and Arena ransomware. Due to similarities found in two of them, security experts often call the group of these two cyber threats as CrySiS/Dharma ransomware family.

CrySiS ransomware is designed to encrypt photos, music files, business documents, and similar data using a combination of RSA and AES-128 encryption. In November 2017, criminals released a new version of the virus known as Cobra ransomware that appends .cobra file extension.

However, previous versions of malware locked files with these suffixes:

  • .dharma,
  • .locked,
  • .kraken,
  • .darkness,
  • .nochance,
  • .oshit,
  • .xtbl,
  • .wallet,
  • .wallet.lock,
  • .arena,
  • .java,
  • etc.

Following data encryption, Arena CrySiS ransomware delivers a ransom note. Typically, it creates two files – HTML file that opens automatically on the affected screen, and TXT file that is placed on the desktop. These files might be called Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, etc. Authors of the malware tell victims to contact them in order recover their files:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key the recovery is impossible! To get the decoder and the original key, you need to write us at the email: with subject “encryption” stating your id.
Do not waste your and our time on empty threats. Responses to letters only appropriate people are not adequate to ignore. P.S. only in case you do not receive a response from the first email address within 48 hours, please use this alternative email

During the evolution of CrySiS virus, developers changed contact email addresses as well. Crooks are known for using these emails to communicate with victims:

  • etc.

Security experts do not recommend following criminals’ instructions and paying the ransom. [1]Different version of the virus demand to pay from 0.5 to 1 Bitcoin for the possibility to restore encrypted data. However, there’s no guarantee that crooks will keep their promise. Additionally, malware, as well as some variants, are decryptable. Therefore, paying the ransom is a waste of money. An image of CrySiS ransomware virus ransom note
CrySiS ransomware brute-forces its way on the computers by exploiting RDP vulnerabilities and then drops a ransom note demanding payment once the encryption of the infected system is done.

Before starting data recovery procedure, you have to remove CrySiS ransomware from the PC. It’s necessary because while malware remains on the system, it can easily encrypt new files. Besides, it also makes various changes to the system and makes your computer vulnerable and slow.

For CrySiS removal we recommend using Reimage Reimage Cleaner . This malware removal program can quickly and safely terminate malware-related entries from the computer. Of course, you can choose your preferred professional software too. But if you encounter some difficulties, follow the guide at the end of the article.

Crysis Master Key leaked: free decryptor is already here!

We have some great news for victims of CrySiS ransomware and possibly for all victims infected with XTBL ransomware variants (these viruses typically append [victim's ID].[email@address].xtbl file extensions to encrypted data). Shockingly, an unknown individual has registered on one security-related Internet forum and shared master keys[2] for all variants of ransomware in November 2016.

The individual shared keys in the form of a header file, which gives an idea that he or she is very closely related to this ransomware project or even is one of its developers. .XTBL viruses are known to be greedy and ask for enormous ransoms, so we are sure that such news is going to bring a lot of joy for victims who have lost their files in the past.

If you are a victim of the Crysis ransomware project, we hope that you still have encoded files on the computer, because malware experts have rapidly used leaked keys to update a Crysis decryptor.[3] You can find its download link in data recovery instructions under this post. Good luck and stay safe!

Criminals switched from malicious spam emails to RDP attacks

Once Crysis malware emerged, it was distributed via malicious spam emails that included some infected attachment. If a victim was tricked into opening it, the malicious payload was dropped on the system.

However, in September 2016,[4] malware researchers reported about a new method which CrySiS ransomware uses to infiltrate computers. The virus now uses Remote Desktop Protocol (RDP) to infiltrate computers instead of the previously practiced distribution using spam emails and deceptive software updates. The first attacks were spotted in Australia and New Zealand.

This distribution strategy allows searching the Internet for unprotected RDP channels and connecting to them. The computer admin’s password required to do that can be extracted by brute-forcing malicious attacks and finding a crack in the system.

What is especially concerning is that after gaining access to the Remote Desktop Protocol, the cyber criminals can install CrySiS not only on the hacked computer but on other devices connected via the same network (printers, routers, NAS, etc.) or even brute-force their way into the nearby computers.

This technique is not unprecedented, though. It has been used by the DMA Locker, Apocalypse, and several other ransomware and was proven successful. The ever-developing viruses are yet another reminder of the importance of keeping ourselves protected [5].

CrySiS virus uses RDP for propagation
CrySiS ransomware started using brute-force attacks through RDP in order to infect victims.

Furthermore, in February 2017, TrendMicro research team[6] has revealed some staggering statistics, indicating that Crysis has doubled the number of brute force attacks against corporations and institutions just within the month of January 2017.

The parasite which had previously targeted mainly Australia and New Zealand is now expanding to the rest of the world, and the experts keep recording a growing number of attacks in Europe and US. The virus especially focuses on healthcare institutions and looks for ways to infiltrate their inner networks. Brazil, Argentina, and Turkey suffered from the malware the most.

In particular, the attacks are carried out by searching for open RDP ports and then identifying whether the devices connected to these networks are some corporate computers. If they find that this is the case, hackers continue the attack and brute-force their way into the targeted computers by cracking the login name and password.

Tips to avoid ransomware attack

In order to avoid infiltration of the ransomware, users should: [7].

  • Protect their computers with a reliable anti-virus and anti-spyware program.
  • Enabling firewall.
  • Install system and software updates regularly.
  • Always check for the software updates on the official websites rather than downloading them from random sites.
  • Do not open suspicious emails, especially spam.
  • Avoid visiting obscure and unreliable file sharing websites.
  • Refrain from downloading unknown software on your computer.

Instructions to remove CrySiS virus

Please, do not try to remove CrySiS ransomware manually. It’s a complex cyber threat that makes numerous changes to the system and might inject malicious code into legit system processes. Therefore, you should rely on reputable security software and let it remove this cyber threat without causing more damage to the system.

For CrySiS removal we recommend using Reimage Reimage Cleaner or Malwarebytes. However, there might appear obstacles which hinder successful elimination. But our team of experts has prepared instructions which should help you tame the virus and initiate the full system scan. Please check them below.

But before you do run the scan, make sure that your antivirus and malware removal utilities are updated to their latest version. Otherwise, the software may not be able to detect and delete CrySiS from your system, so the virus will continue rampaging on your computer.

do it now!
Reimage Happiness
Reimage Cleaner Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove CrySiS virus, follow these steps:

Remove CrySiS using Safe Mode with Networking

To remove ransomware files with the help of Safe Mode, use a guide provided below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CrySiS

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CrySiS removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CrySiS using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CrySiS. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that CrySiS removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CrySiS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Being a CrySiS ransomware victim, you can be offered by its developers (e.g. hackers) to purchase a decryption tool which will supposedly solve all of your problems and recover the files that it has locked. DO NOT do that! With the cyber criminals, you have no guarantees that you will receive the decryption key or that it will be able to decrypt the locked files. You better eliminate the virus from your PC using Reimage Reimage Cleaner and use the data recovery methods provided below to try redeeming at least a small portion of your precious files.

If your files are encrypted by CrySiS, you can use several methods to restore them:

Opting for Data Recovery Pro method

Data Recovery Pro can be considered one of options capable of helping you recover your encrypted data. This program is designed to provide users the professional data recovery service. To use it properly, follow these guidelines: 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by CrySiS ransomware;
  • Restore them.

Using Windows Previous Versions feature

Windows Previous Versions feature is one of system features helping users recover their data after unexpected changes. In this case, you can try using this feature to recover your data after ransomware attack. NOTE: this method only valid if the System Restore function is enabled. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer data recovery method

The third data recovery method employs ShadowExplorer software which relies on Shadow Volume Copies. With their help, this program can recover damaged files. However, in this case, it is really important to check whether the ransomware did not remove these Shadow Volume Copies. If you are lucky enough, follow these steps here:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Using Crysis ransomware Decryptor

You can recover all your files for free using a special decryption software that has been updated on November 2016 after one stranger leaked Crysis Master keys online. You can download the decryptor here. Make sure you use version because only it is capable of restoring files encrypted by CrySiS. Also remember that you must remove the virus using an anti-malware tool before installing this decryption tool on the system, otherwise it won't be possible to start the decryption procedure. Once you launch the RakhniDecryptor, click Start and select an encrypted Word, PDF, Excel, image or audio file (DO NOT use a .txt file!) and click Open. Then the decryptor will start system scan and decrypt all of the encrypted files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CrySiS and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages

  1. Desperate says:
    June 2nd, 2016 at 9:11 am

    Im literally in crisis with this one… I cannot remove it and it keeps encrypting more and more files!!

  2. ZAyn says:
    November 15th, 2016 at 2:36 am


  3. Sicilia says:
    November 15th, 2016 at 2:37 am

    Finally!!!!!!!! I waited so long! So glad that Ive created a copy on encrypted data and didnt delete it!!

Your opinion regarding CrySiS ransomware virus