Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jan 2019

How to remove XCry ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

XCry is a new ransomware family that uses blackmail to gain money

XCry ransomware

XCry ransomware is a file locking malware that encrypts all data with the help of AES encryption cryptography and then demands a ransom to be paid for the key. The virus targets documents, .zip, video, audio, picture, databases and appends .xcry7684 file extension after the encoding procedure is complete. XCry virus then performs substantial changes to the system and immediately contacts C&C[1] server that is controlled by malware authors. By doing that, the virus uploads the unique key to the remote server and uploads the ransom note HOW_TO_DECRYPT_FILES.html which explains the situation to the victims. The brief note, hackers urge users to find the encryption key inside the APPDATA folder and send it to funnybtc@airmail.cc to receive further instructions.

 Name XCry 
 Type Ransomware
 Encryption AES
 File extension .xcry7684
 Ransom note HOW_TO_DECRYPT_FILES.htm
 Contact funnybtc@airmail.cc
 Distribution The virus uses typical ransomware distribution techniques, including spam emails, brute force attacks, fake updates, repacked or hacked executables, torrent files, etc.
 Elimination We suggest you use FortectIntego which recognizes the threat as TR/FileCoder.gtsow

Distribution method of XCry ransomware does not differ much from similar malware. Cybercriminals use many different techniques to make users to install the malicious payload themselves and sometimes rely on vulnerabilities or weak passwords. The latter is called brute-forcing and has become more prominent among hackers recently.

The ransom note is relatively short and states the following:

Your files have been encrypted.

To decrypt your files, follow instructions
Open your explorer, in the pathbar, enter %appdata%
Find the file encryption_key and send it to email: funnybtc@airmail.cc
Await payment instructions

The payment amount varies from virus to virus. For example, GandCrab 5.0.4 authors ask as much as $2,400 in Dash or Bitcoin once victims fail to pay the ransom within a predetermined amount of time. Regardless of how much money XCry ransomware developers ask, do not pay them.

Most security researchers advise not to pay the ransom, as bad actors often ignore their victim and never send the decryptor. Therefore, the possibility of being scammed is pretty high. Additionally, it will prove XCry virus authors that ransomware works and they will be motivated to create more sophisticated malware and infect more innocent individuals.

To make sure a full XCry ransomware removal is performed, we recommend using adequate software, such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes, although all other security programs that detect[2] the virus should do the job. Do not try to get rid of XCry manually, as you will most likely fail.

Once you remove XCry ransomware, you can proceed with file recovery. Currently, there is no official decryptor created yet, but if you have backups, there should be no problems. Alternatively, you can check third-party software that might be able to save at least some of your data – we prepared all the instructions below.

XCry ransomware virus

Ransomware virus distribution methods

As we already mentioned, most ransomware authors rely on multiple distribution methods to ensure prevalence. While it is impossible to stay away from viruses 100%, there are many prevention steps that can reduce the possibility of infection to a minimum. Experts suggest following these simple tips:[3]

  • Employ reputable security software and keep it up to date;
  • Patch your system as soon as updates are released;
  • Stay away from emails that contain attachments or links, unless you know they are legitimate;
  • When using Remote Desktop Protocol, ensure it with VPN and a strong password;
  • Avoid third-party websites that distribute questionable software or other files;
  • “Cracks” and “Serial generators” can be infected with malware – stay away from them;
  • Prepare some backups for your files regularly;
  • Do not participate in surveys, promotions, “free gifts” scams, and similar;
  • When installing freeware from the internet, always pick Advanced or Custom settings in order to remove unwanted programs before finalizing the installation.

Get rid of XCry ransomware and only then proceed with file recovery

Unfortunately, but retrieving the access to data that was encrypted by XCry virus can be difficult, as no official decryptor is created yet. Nevertheless, you can try alternative data recovery methods – we provide full instructions below, so make sure you check them out. 

To remove XCry ransomware safely, you should use reputable security tools – FortectIntego or SpyHunterCombo Cleaner might be good choices. Be aware that some malware can prevent anti-virus software from working correctly. In such a case, enter Safe mode with Networking as explained below and perform full XCry ransomware removal from there.

If you are not able to get personal files back after you try the third-party software, we suggest you keep a copy of encrypted data and wait till security researchers create an official decryptor. Note – this process might take awhile.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.