CryTekk ransomware (Virus Removal Guide) - Decryption Steps Included
CryTekk virus Removal Guide
What is CryTekk ransomware?
CryTekk ransomware is a virus that not only operates as an extortionist but also tries to direct users to spoofed PayPal payment page
CryTekk ransomware is a file locking virus that is based on HiddenTear open-source project. After the infiltration, malware performs several changes to the system and begins a scan, looking for personal files like pictures, documents, videos, audios, databases, etc. Once located, the cyber threat makes use of AES encryption to encode data and appends .locked file extension. Next, CryTekk ransomware contacts a remote server that is controlled by hackers to send the encryption key and upload a ransom note README.html onto victim's machine. The message from cybercriminals explains what happened to their personal files, and asks users to pay $40 in BTC and contact hackers via CryTekk@protonmail.com. This malware string is poorly written and can be decrypted. However, the “catch” is to make users disclosed their credit card details on a spoofed PayPal page.
| Name | CryTekk ransomware |
| Type | Ransomware |
| Extra element | Phishing via spoofed PayPal page |
| Derivation | HiddenTear |
| Cipher | AES |
| Ransom size | $40 in BTC |
| Ransom note | README.html |
| Contact | CryTekk@protonmail.com |
| Decryptable? | Yes |
| Elimination | Use powerful anti-malware software |
| Damage removal | Make use of FortectIntego |
While combining ransomware functionality with other threats (such as banking trojans, data-stealers,[1] cryptominers, etc.) is not uncommon, CryTekk ransomware authors added a new element that was never used before – phishing. In fact, the size of the ransom makes researchers believe that the main goal is not $40, but the credit card details disclosure, which would be used for unauthorized bank account use or could be sold on the Dark Web.[2]
CryTekk ransomware drops the ransom note that states:
YOUR FILES HAVE BEEN ENCRYPTED!
Dear victim:
Files have been encrypted! and Your computer has been limited!
To unlock your PC you must pay with one of the payment methods provided, we regularly check your activity of your screen and to see if you have paid. Paypal automatically sends us a notification once you've paid. But if it dosen't unlock your PC upon payment contact us
(CryTekk@protonmail.com)Reference Number: CT-[redacted]
When you pay via BTC, send us an email following your REF Number if your PC dosen't unencrypt. Once you pay, Your PC will be decrypted. However if you don't within 14 days we will continue to infect your PC and extract all your data and use it.
Google 'how to buy/pay with bitcoin' if you don't know how. To pay by bitcoin: send $40 to your unique bitcoin address b>[redacted]
PayPal
Buy Now
Along with the usual payment method, CryTekk virus authors offer to pay via the popular payment site PayPal. As soon as victims click on the “Buy Now” button, they are redirected to a quite legit looking site. There, users are asked to enter their credit card details and later personal information, such as name, date of birth, address, phone number, and other data. Once they proceed, a message pops up, claiming that the account restoration was successful.
While it is an obvious scam, it might be entirely believable for those who never encountered a ransomware infection before. Without a doubt, users should remove CryTekk ransomware as soon as possible and ignore criminals. The scheme is merely a trick to disclose valuable personal information and credit card details.
For CryTekk ransomware removal, you should rely on powerful security software. Be aware that not all tools might recognize the threat, so a scan using multiple apps might be needed. After the elimination of the virus, you should scan your machine with FortectIntego in order to restore its functions to the original state.
You can then contact the security researcher Michael Gillespie[3] for free decryption, recover data from backups or try third-party software as a last resort.
Ransomware can be avoided – follow these tips
Regular users usually underestimate the severity of serious cyber infections like ransomware. They ignore advise from experts and expose themselves to various hazards when browsing the web. To their surprise, they find their files locked without a backup available. It is an unfortunate scenario. However, there are several suggestions from industry experts that can decrease the possibility of the infection to a minimum. Follow these simple tips:
- Install anti-malware software with real-time protection feature;
- Keep backups of your files and update them regularly;
- Avoid high-risk websites, such as torrent, file-sharing, cracks, porn, etc.;
- Do not casually open spam email attachments or click on links inside;
- Update your operating system and the software as soon as security updates are released;
- Use ad-block;
- Scan unknown files with such tools like Virus Total;
- Use strong passwords for all your accounts and change them frequently.
Eliminate CryTekk ransomware and only then proceed with file recovery
Before you can recover your files, you need to remove CryTekk ransomware from your machine. As we already mentioned, the malware is not too sophisticated, so the process should not be complicated, as long as you use appropriate security software.
Nevertheless, if there are any troubles with CryTekk ransomware removal, we suggest you enter Safe Mode with Networking and perform a full system scan from there. If you don't have backups, you can contact the security researcher for help or make use of third-party data recovery software. We provide all the instructions below.
Getting rid of CryTekk virus. Follow these steps
Manual removal using Safe Mode
To remove CryTekk virus safely, enter Safe Mode with Networking as explained below:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove CryTekk using System Restore
Another method that can be used for virus elimination is System Restore:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of CryTekk. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove CryTekk from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by CryTekk, you can use several methods to restore them:
Make use of Data Recovery Pro
This tool was created to recover files that were corrupted or accidentally deleted, although it also saw success in helping ransomware victims to retrieve their data.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by CryTekk ransomware;
- Restore them.
Try using Windows Previous Versions feature to recover files individually
This method can only be useful if System Restore feature was enabled before the infiltration of ransomware.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer may be able to recover all your files
In case CryTekk ransomware failed to remove Shadow Volume Copies, this tool will help you to get all your data back.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Contact Michael Gillespie for assistance.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CryTekk and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
- ^ Julie Splinters. GandCrab ransomware and Vidar stealer used together for a deadly combo. 2-spyware. Cybersecurity news and articles.
- ^ Brian Stack. Here’s How Much Your Personal Information Is Selling for on the Dark Web. Experian. Credit score experts.
- ^ MalwareHunterTeam. Something new. Twitter. Social network.