Crypz Ransomware, a new variant of CryptXXX ransomware, attacks users’ computers and appends the .crypz extension to their files. The developers of this file-encrypting ransomware update their code to version 3.0, and the decryptor created by Kaspersky doesn’t work anymore. How does this malware spread? Is it possible to recover the encrypted files? Read this article and you will learn more about Crypz Ransomware.
What is Crypz Ransomware?
Crypz Ransomware, or CryptXXX 3.0, is a variant of the CryptXXX ransomware. (Until now, the version 4 and version 5 of CryptXXX ransomware has emerged.) It targets all versions of Windows operating systems and encrypts the files (including network drives) found on the infected system with RZA4096. The malware appends the .crypz extension to encrypted files and create an .HTML file that asks the victims for a ransom. If you open the HTML file, your browser will open with a page as below:
The texts in the page are:
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files?
All of your files were protected by a strong encryption with RZA4096
More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen?
!!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
!!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server
What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal ID: 123456789012
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 – http://gvxtkcbjnslm5vnt.onion.to
2 – http://gvxtkcbjnslm5vnt.onion.cab
3 – http://gvxtkcbjnslm5vnt.onion.city
If for some reasons the addresses are not available, follow these steps:
1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – After a successful installation, run the browser
3 – Type in the address bar – http://gvxtkcbjnslm5vnt.onion
4 – Follow the instructions on the site
Be sure to copy your personal ID and the instruction link to your notepad not to lose them.
The ransom note tells the victims what happened to their machines and how to decrypt their files. If your computer is attacked by this malware and want to recover the important files, you will be required to pay 1.2 BitCoins, which equals a sum of about 500 US dollars. Unlike other ransomware, such as Jigsaw, that ask victims to pay the ransom in 24 hours, this ransomware allows victims to come up with the ransom money within about 90 hours. If you miss the deadline and don’t pay for the ransom, the decryption cost will increase 2 and will be 1008 USD. In the ransom note, there are many hyperlinks provided by the criminals. If you decide to pay the ransom, the following pages may open when you click on the links on the ransom note:
There are instructions on these pages that show you how to buy bitcoins and then use bitcoins to buy UltraDecrypter that will allow you to decrypt your files. However, please NEVER pay the criminals. On the one hand, this will encourage the cyber criminals to continue and create greater ransomware. On the other hand, you may not receive a private key and decryptor after payment. According to Bleeping Computer, those who have been paying Crypz Ransomware ransoms have not been getting the key. See more details in UltraCrypter not providing Decryption Keys after payment. Launches Help Desk.
The files with the following extensions on the infected machines may be encrypted by Crypz Ransomware:
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
How does Crypz Ransomware spread?
Generally, ransomware can be distributed via spam emails. In addition to spam emails, CryptXXX 3.0 ransomware can also spread via compromised websites and banner advertisement that host the Angler exploit kits.
Figure 1. CryptXXX infection vector via Angler EK (Source: trendmircro.com)
If you carelessly click on a malicious advertisement or visit a website that has been compromised, you may be redirected to a site hosting Angler EK and the ransomware can be downloaded by exploiting a vulnerability on the PC. Once it enters a PC, the first thing it will do is see if it’s running on a virtual environment. If yes it will terminate itself. If not, it starts to encrypt files on the PC. The malware runs along with a watchdog program, so that it can restart the encryption routine if the watchdog program detects abnormal system behavior that stops its encryption process.
How to decrypt the files encrypted by Crypz Ransomware?
Unfortunately, there is still no effective tool to recover all of the files encrypted by the CryptXXX 3.0 ransomware due to the advanced encryption of this particular Crypto-Ransomware. The malware encrypts users’ files by using AES-265 and RSA encryption method. To recover the encrypted files, victims have to pay the ransom and get a private key and a decryption tool from the cybercriminals. Typically with ransomware, a private key you get from cybercriminals after payment cannot be used with someone else’s encrypted files. Even if you share the key with other victims, your private key won’t work on their infected machines since the keys are different for each case.
Recently, the Trend Micro Ransomware File Decryptor tool is able to help victims decrypt partial data, including DOC, DOCX, XLS, XLSX, PPT, and PPTX (common Microsoft Office) files, encrypted Crypz Ransomware. But many people find that decrypting without the private key is a VERY compute intensive process and their CPU will definitely spike to 99-100%. The time that a file needs to decrypt usually depends on its size. But generally this decryption process takes a long time to proceed.
If you want to recover the encrypted files yourself, try the following tools:
Option1: Use Trend Micro Ransomware File Decryptor
Even though this decryption tool can’t effectively recover all of the files encrypted by Crypz Ransomware, it works for partial files. We strongly suggest that you DO NOT pay the ransom to encourage the cybercriminals.
When the file is downloaded, unzip it and then launch the RansomwareFileDecryptor.
After accepting the EULA, the tool will open. Follow the step-by-step guide on the screen to perform the file decryption.
Option2: Restore your files with ShadowExplorer
Crypz Ransomware will try to delete all shadow copies on your infected PC when you first start any executable program. But some shadow copies may escape from the ransomware and they can still be restored by using ShadowExplorer.
Here is there guide on how to restore the files with ShadowExplorer. Download and install the tool on the computer and then follow the instructions to restore the data.
How to remove Crypz Ransomware from PC and protect your PC from ransomware?
Usually, this malware removes itself from the infected computer after all your files are encrypted, leaving only the info messages on how to pay the ransom and a tor.exe file used to transfer you personal private key on their servers. But if you suspect that there are still other malicious files associated with the ransomware on the system, please perform a scan of the PC with a powerful anti-malware program.
Use SpyHunter Anti-malware to perform a full scan of your PC
SpyHunter is a powerful antimalware program that can detect and remove Crypz Ransomware and other infections completely with advanced technology. It can also provide real-time protection for your Pc and prevent malicious threats effectively. After ransomware infection, run this tool to scan your PC and delete all the detected infections.
Click on the button below to download SpyHunter.
SpyHunter will automatically scan your system once installed. If not, you can click on Scan Computer Now button to start the scanning. (Note: Please update the tool to the latest version and close all running programs and files before scanning the PC.)
When the scanning is completed, you will find all the threats detected on your system in the scan results. Click on Fix Threats button to clear all the threats detected on your PC. Make sure that you have purchased the full version of SpyHunter.
Please note that this tool only clears the infections associated with Crypz Ransomware and it can’t decrypt the encrypted files. You have to use the two tools as mentioned above or wait for a more powerful decryption tool to recover the files.
Tips to protect your computer from ransomware threats:
Ransomware like Crypz Ransomware can be distributed via spam emails, malicious websites and clickable ads. Moreover, they scan and encrypt files on the targeted machines and ask for a ransom. To avoid being attacked by such malware, here are several suggestions:
- Avoid visiting malicious websites or clicking on suspicious ads when viewing web pages.
- DO NOT open attachments or links in emails sent by strangers or even your friends if you are not sure about it.
- Keep your system, software and browser plug-ins to the latest versions no matter you use them often or not.
- Better stop using software that have no security patch released for them, such as Windows XP and QuickTime for Windows.
- Back up your files stored on the PC regularly in case the machine gets infected or crashes.
- Install an advanced antivirus program on the PC and keep it up-to-date.
The following video offers a complete guide for Crypz Ransomware removal. You’d better watch it in full-screen mode