Remove Cry128 Ransomware – Best Ransomware Removal Guide

Anyone could help remove the Cry128 ransomware and recover the files encrypted by it? My computer was unfortunately attacked by this ransomware about 6 hours ago and all files encrypted are very important for me. I have searched on the Internet, trying to find an effective solution to decrypt the files but no success. Please give me some practical advice that helps me out.

Has your PC got hit by Cry128 ransomware? Cannot access your data since they have been encrypted by the ransomware?

This article contains the information you need, including guide to remove Cry128 ransomware, methods to restore your data, and helpful tips to prevent you from the re-infection.

For a quick removal of Cry128 ransomware, please click the button below and use the tool downloaded to scan the whole computer system and delete any found threats.


(For Windows XP/7/Vista/8/8.1/10)

What Is Ransomware?

Ransomware is a type of malware that enters a target computer and encrypts the user’s important data for ransom. In the past, ransomware was developed to lock a user’s computer system, but now file encryption is more popular. TeslaCrypt, Locky, Cerber, Spora, CTB Locker and Dharma are some examples of the notable ransomware threats.


Research shows that ransomware attacks have exploded in number in the past year, with businesses and individuals paying more than $1 billion to get their encrypted files back. The ransom ranges from $500 to $2,000, up a bit from the past couple of years. Most ransomware spreads through through social engineering. For example, when users open an infected email attachment or click on a malicious link within an email (usually from an unknown or unsolicited source), they may trigger the downloading of ransomware.

Cry128 Ransomware Information

Cry128, first appeared on the 22nd April 2017, is another variant of CryptON ransomware (other variants including X3M, Nemesis and Cry9). It mainly targets English-speaking users located in Western Europe and North America. Cyber hackers behind this ransomware have developed it to be more sophisticated in the data cryptography. Research shows that Cry128 ransomware uses a combination of AES and RSA encryption to make the victim’s files inaccessible. It first uses the AES-128 encrypting algorithm to encrypt files and then use RSA-1024 algorithm to secure the decryption key.


In most of the time, Cry128 ransomware infects a target computer system via RDP (remote desktop services) brute force attacks, which allows them to log into the victim’s server and execute the ransomware. Sometimes, it is distributed via SPAM emails. The emails may include a single line of text tricking the recipients to open the attached file. Generally, the file has a clever name, such as “invoice”, making the recipients believe the attachment is authentic. Once recipients click the attached file, a Trojan will be automatically downloaded and executed on their computers. Then, the Trojan connects to a specific website and starts to download the Cry128 ransomware on the infected computers.

Once getting installed, Cry128 ransomware will encrypt all file types found on the infected computer. However, to make sure the boot operation and other critical processes are not affected, it will exclude C:Windows, C:Program Files and the user profile folder from the encryption operation. The encryption takes from several minutes to 2-3 hours, depending on the PC power and the number of data stored on the computer. The ransomware will change the names and extensions of the files encrypted as below:

Then, it will display a pop-up ransom note (see the image below) on the desktop and place it in each folder. The ransom note tells the victims that all their files are encrypted and to decrypt the files, they need a private key and decrypt program which is located on a secret server.

ransom note

Then, it will display a pop-up ransom note (see the image below) on the desktop and place it in each folder. The ransom note tells the victims that all their files are encrypted and to decrypt the files, they need a private key and decrypt program which is located on a secret server. Unlike the previous versions of CryptON ransomware, Cry128 provides tor and tor2web links which enable victims to directly access Tor Onion Services without using Tor Browser.  Report shows that, victims are demanded to pay 0.15 BitCoin (about $250 USD) to decrypt their files.


When getting hit by a ransomware, the first thing you think about should be the files recovery. But you know what? Without removing the ransomware completely, your files will soon be encrypted gain after you recover them with effort. Therefore, removal of Cry128 ransomware is the top priority.



Cry128 Ransomware Removal Instruction

At the mention of ransomware removal, you may think of system restore and antivirus program. Indeed, system restore is a Windows feature that can help fix certain types of computer problems, like crashing, blue screen of death, and malware infections. However, Cry128 will delete the system’s restore points upon its installation, so this method cannot be used to delete the ransomware. As the ransomware can hide its traces deep in the system, manual removal is also impractical for general PC users. Therefore, we highly recommend using an advanced anti-malware program to perform the removal of Cry128 ransomware.

Our top pick is: SpyHunter

SpyHunter is an advanced anti-malware program that blocks, detects, and removes many types of malware like Trojans, worms, viruses, browser hijackers, adware, rootkits, keyloggers, ransomware and more from your PC. With the latest technologies, SpyHunter has effectively helped a large number of computer users fix their malware problems. Besides, SpyHunter provides 7X24 online tech support to help users resolve problems that can’t be fixed by the tool automatically. Fore more details about SpyHunter, click here.


To begin with, you need to download and install SpyHunter on your PC.

Click on the button below and save the setup file on your PC.


Locate and double click on the file downloaded and then click the Run button when a dialog box pops up as below.


click run

Select your language and click the OK button.

select language

Click CONTINUE to proceed.

click continue

Click I accept the EULA and Policy and click the INSTALL button.

accept terms and agreements

Wait for the installation of SpyHunter to be completed.


Click the FINISH button when SpyHunter is successfully installed.

click finish


Next, Reboot the computer into Safe Mode with Networking.

Open Start menu, go to Shut down and click Restart


Tap F8 key repeatly before the Windows logo appears. F8 key is to initiate Advanced Boot Options menu.

When the Advanced Boot Options screen appears, select Safe Mode with Networking by using the up and down arrow keys and then hit the Enter key.



Then, run SpyHunter to kill Cry128 ransomware and other existing threats.

Double click the icon of SpyHunter to run it. On its main screen, click the Scan Computer Now button to do a full system scan.

scan computer now

SpyHunter now will start scanning the entire system for any existing threats.

scanning process

When the scanning is done, SpyHunter will show all detected threats, the malicious ransomware, browser hijackers, and other potentially unwanted programs. Click the Fix Threats button and SpyHunter will completely remove all found threats.



Finally, restart the computer and run a system scan once again.

Click the Start menu, go to Shut down and click Restart. Once the Windows has logged in, run SpyHunter and conduct a full system scan again. If there are still any threats detected, remove them. If no threats are detected. Then, proceed to the next step.


* SpyHunter’s free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. In case you cannot remove the ransomware using this tool, please contact the tech support for further help.

How to Perform system restore to remove Cry128 ransomware?

In case that you want to try removing Cry128 via system restore, we offer the detailed steps for you here:

  • Click Start menu and type system restore into the search box. Then, click System Restore from the result list.

restore system_1

  • In the window that appears, select the option of Recommended restore or Choose a different restore point (note: if the ransomware infection occurred earlier than the date of the Recommend restore, you should choose the later option).

restore system-2

  • Then, you’ll be presented with a list of restore points you have created previously. If you want more options, tick the box labelled Show More Restore Points. Then, you can Select an acceptable restore point and click the Next button.

restore system_3

  • Confirm your restore point and click on FinishA dialog box will appear and require you to confirm that you really want to perform system restore. Click Yes button, and then the system restore will begin.

restore system_4

restore system_5

  • Please wait while your Windows files and settings are being restored.

restore system_6

  • After the system restore is completed, please log into your account.

restore system_7

  • Then, you will see a dialog box as below once the desktop loads up. Click on the Close button.

restore system_8


How to Restore Your Files without Paying Ransom?

If you don’t want to pay the ransom, you can try the following methods to restore your files.

Method 1: Use the Backups

The precondition to use this method is that you make a backup of your files before the ransomware attack. If you have, you can easily restore your files from a backup by following the steps below.

1. Click the Start menu, type backup into the search text box and click Backup and Restore from the resulting list.


2. In the popup window, find and click the Restore my files button.

resore my files3. Now you can browse for the file or folder you have recently backed up.

browse for folders

4. You can restore them back to the original location or choose a different place. click Restore and the system will start restoring your files.


Method 2: Use Shadow Volume Copies

Another method is to use Shadow Volume Copies. If the ransomware hasn’t time to delete your shadow copies, and you notice and delete it in the first place, you might be able to restore your files with this method. See the detailed guide here.

Method 3: Use a Decryption Tool

Emsisoft CTO and Malware researcher Fabian Wosar has released a free decrypter for the Cry128 ransomware.You can now decrypt files for free! Visit here.


Tips to Prevent Ransomware Attacks

There is no effective tool to remove all types of ransomware so far, so most victims will have to surrender under the cyber hackers’ menace and pay the ransom when their computers are attacked by ransomware. To avoid the tragedy happen to you, it is very vital that you learn how to prevent ransomware attacks. Here are some tips for you:

  • Make sure your operating system and software patches are up-to-date.
  • Install an effective anti-malware program (Such as SpyHunter) and keep it updated regularly.
  • Only download and install software or browser add-ons that come from trustworthy sources.
  • Don’t open unsolicited email attachments unless you know with absolute certainty they are safe.
  • Do not click suspicious links in email message or on the unfamiliar websites.
  • Uninstall the rarely-used software or plugins so as to avoid malware attack you PC by exploiting the vulnerabilities in them.
  • Try not to click on pop-up ads, banners, and fake security alert messages when browsing the web.
  • Use a pop-up blocker in your web browsers in order to block malicious pop-up ads.

The most important of all – back up all the important files to a drive or USB device that isn’t connected to your computer. This cannot avoid ransomware, but may be able to avoid being threatened by the cyber hackers.

To sum up, Cry128 ransomware is a highly dangerous malware threat that can attack your computer and encrypt your important files in order to demand a ransom. This ransomware uses the combination of AES and RSA encryption to encrypt the files and it is hard for a general user to decrypt these files without a key.

If your computer has been attacked by this ransomware and all your important files have been encrypted by it, you can try following our guides given above to perform the removal of Cry128 ransomware and get your files back.

But it should be noted that, before getting your files back, you should first remove Cry128 ransomware from your device, or else the ransomware will encrypt your files again.

Now you can click the button below to download a professional malware removal tool and then use it to remove the malicious ransomware completely!


Share Button