Remove CryptXXX Ransomware and Restore the Encrypted Files

CryptXXX attacked my computer today. All of my important data have been encrypted and the hackers asked me to pay 500 for them. Is it possible for me to get my data back without paying the ransom? Please help me. Thanks!

     scan icon  Scan your computer system with SpyHunter to detect CryptXXX ransomware right now!

It must be a big trouble to get infected by ransomware, since ransomware can stop you from using your PC or accessing your important data until you pay for “ransom”. There are different variants of ransomware which generally can be divided into two categories: the Crypto ransomware and non-Crypto ransomware. Usually, the former encrypts your important data, while the latter locks your computer. But they have one thing in common – demand you to pay a “ransom” to regain access to your computer or data.

In this article, we are going to talk about a Crypto ransomware called CryptXXX. If your computer has been unforunately infected by this ransomware and you are looking for guides to remove this threat from your PC, then you can continue reading.

Threat Details

Name CryptXXX
Category Crypto Ransomware
Threat Level High
First Released in April, 2016
Latest Version CryptXXX 3.0
Spreading Ways Spam emails; Exploit kits
Target OS Types Windows XP, Windows7, WindowsVista, Windows 8, Windows 10
Main Behaviors Encrypt files; Display ransom note

CryptXXX is another strain of ransomware which was first found by ProofPoint in the middle of Apirl 2016. Security experts say this ransomware spreads via web pages that host the Angler exploit kit which takes advantage of vulnerabilities to push the Bedep click-fraud malware on the users’ computer systems. Bedep has the capability of downloading malware, so it will download the CryptXXX ransomware as a second-stage infection, dropping it as a delayed execution DLL and setting to wait 62 minutes before launching.

ProofPoint researchers believe that CryptXXX was developed by the same cybercrime gang who conducted the Reveton ransomware campaign in 2012, since they see similarities between CryptXXX and the older Reveton ransomware. The similarities inlcude: coded in Delphi; use a custom C&C protocol on TCP 443; use a delayed start; DLLs are named with a custom entry function; the directory of %AllUsersProfile% contains a .dat file; has the capability of stealing Bitcoins and credential.

After getting installed and executed, CryptXXX scans all the local hard drives, removable drives, and mapped drives for targeted file types and encrypt them after it attacks your computer. The ransomware searches for and encrypts files with the following extensions:

.MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ASC, .ASF, .ASM, .ASP, .ASPX, .CLASS, .CMD, .CPP, .CRT, .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .3DM, .3DS, .3G2, .AIF, .APK, .APP, .3GP, .7Z, .ACCDB, .AES, .AI, .DIF, .DIP, .DJV, .DJVU, .DOC, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS, .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .ODB, .ODG, .ODP, .FRM, .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .RAR, .RAW, .RM, .ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .RSS, .SXM, .SXW, .ODS,.ARC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .TAR, .XLTM, .XLTX, .XLW, .XML, .YUV,.ZIP, .ZIPX, .SRT, .STC, .STD, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT, .UOP, .UOT, .VB, .VBS, .VCF, .VCXPRO, .VDI, .VMDK, .VMX, .VOB, .WAV, .WKS, .WMA, .WMV, .WPD, .WPS, .WSF, .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV, .PRIVAT, .PS, .PSD, .PSPIMAGE, .RTF, .SCH, .SDF, .SH, .SITX, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI, .PY, .QCOW2, .RA

 

Having finished the encryption, the ransomware will create a text file, an image and an HTML webpage on the infected computer. The image is set as the desktop wallpaper; the HTML webpage is opened in a browser; while the text file is palced in the hard drive. They are all created to imform you that your files are encrypted by a strong encryption with RSA4096 and you have to make a payment for the private key and the decrypt program in order to get all your files back.

Screenshot of the text file

text file

Screenshot of the desktop wallpaper and HTML webpage

desktop wallpaper and html webspage

By clicking the link provided in the HTML webpage, you will see a new page with multi-language support as shown below:

cryptxxx-ransomware ransom note

 

 

This page informs that your files are encrypted and to get the key to decrypt files you have to pay 500USD. If payment is not made before the specific time, the cost of the decrypting files will increase 2 times, namely you need to pay 1000 USD. You can directly make the payment on this page. It provides details on how to make the payment, how to download and use the decrypter use and also allows you to try decrypting one file for free before the payment. There is even the FAQ page that lists a series of questions and answers which may be helpful for you.

Should You Pay the Ransom?

Generally, it is not suggested to pay the ransom. Here are some reasons:

  1. By paying the ransom, you just encourage the cyber criminals to continue creating ransomware like CryptXXX to infect more computers and extort more money from the innocent computer users.
  2. There is no guarantee that paying the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.
  3. It is possible to decrypt files encrypted by the ransomware by using a decryption tool created by Kaspersky.

Surely, if you think the decrypted files are very important to you, so that you don’t allow anything to go wrong, then you can try making payment for the decrypter provided by the ransomware developers and see whether they will keep their promise.

What Should You Do after Being Attacked by a Crypto Ransomware?

Once you find that your PC has been attacked by a ransomware, the first thing you need to do is to disconnect the Internet so as to prevent the ransomware from downloading other types of malware on your PC. Then, you should identify the type of ransomware. You can take down the basic content of the ransom note and then search on Google using your phone or another healthy computer. You may find information about the ransomware, including its name, characteristics and others. Next, make a copy of your hard drive. If a free decryption tool is developed, you can try encrypting the encrypted files without worring the files would be damaged for unexpected reason. Afterwards, restart your PC into the Safe Mode and try using your antivirus program or any other more powerful malware removal tool to remove the ransomware. In case you want to pay the ransom, you’d better save a copy of the ransom note.

How to Remove CryptXXX Ransomware from Your PC?

If your computer has got infected by the ransomware, you should quickly remove it in order to avoid other unwanted problems. There are methods for you to remove this threat: 1. Remove it with a powerful malware removal tool. 2. Perform a system restore. Here are the guides:

arrow-right-iconRemove CryptXXX Ransomware by Using SpyHunter.

What Is SpyHunter?
SpyHunter is a powerful anti-malware program developed by Enigma Software Group USA LLC. With the advanced features, this program can provide the highest level of protection against the latest computer threats. SpyHunter is able to detect and clean many types of malware like viruses, rogue antivirus programs, ransomware, and fix other security related issues effectively.

 

Now you can follow these steps to remove the ransomware with SpyHunter:

» Use a healthy computer to download SpyHunter-installer.exe.
spyhunter-download-button
» Copy the downloaded file to the infected computer. Double-click the downloaded file to start installing SpyHunter on your PC.
SpyHunter-shortcut» When a dialog box pops up as below, click the Run button.

Open-SpyHunter-Installer.exe-file

» Select your language and click OK button.

select your language

» Click CONTINUE to proceed.

continue1

» Click I accept the EULA and Policy and click the INSTALL button.

Accept-the-EULA-and-Privacy-Policy1

» Now you can see that SpyHunter is being installed on your PC.

SpyHunter-is-installing1

» Once SpyHunter is successfully installed on your PC, click the EXIT button.

click-exit

» Then, boot your PC into the Safe Mode. After you access the desktop, double click the icon of SpyHunter to launch  it. On its main screen, click the Scan Computer Now button to do a full system scan.

scan-computer-now

» SpyHunter now will start scanning the whole system for any existing threats.

screen_scanner

» When the scanning is done, SpyHunter will show you all detected threats. Click  the Fix Threats button if you want to remove all found threats.

fix threats

Warm tips: If you are using the free version of SpyHunter, you need to first upgrade it to the registered version before you can fix the threats completely.

arrow-right-iconRemove Cryptxxx Ransomware by Performing System Restore

Generally, performing system restore can help fix the malware issues. However, this method doesn’t always work. If the ransomware has infected the restore points, it is almost impossible to clean out this threat from your PC. But anyhow you can have a try. Now follow the steps below.

Windows7 iconFor Windows 7/Vista:

  • Click Start menu and enter system restore into the search box. Then, click System Restore from the result list.

restore system_1

  • In the popup window, select the option of Recommended restore or Choose a different restore point (if the malware infection occurred earlier than the date of the Recommend restore , you need to choose the later option).

restore system-2

  • Then, you’ll be presented with a list of restore points you have created previously. If you want more options, check Show More Restore Points. Then, you can Select an acceptable restore point and click Next.

restore system_3

  • Confirm your restore point and click on FinishA dialog box will pop up and ask you to confirm that you really want to perform a system restore. If you’re sure to do so, click Yes. This will start the system restore.

restore system_4

restore system_5

  • Please wait while your Windows files and settings are being restored.

restore system_6

  • After the System Restore completes, please log into your account.

restore system_7

  • Then, you will see a dialog box as below once the desktop loads up.

restore system_8

windows_xp For Windows XP:

  • Log on to Windows as an administrator. And then click the Start button > All Programs > Accessories > System Tools, and then click System Restore.

windowsxp_system_restore_1

  • The Welcome to System Restore page will pop up as below. Select the Restore my computer to an earlier time option, and then click Next.

windowsxp_system_restore_2

  • The Select a Restore Point page will appear. Choose a bold date on the calender and select a proper system restore point in the On this list, click a restore point list, and then click Next.

windowsxp_system_restore_3

  • A System Restore message may appear that lists configuration changes that System Restore will make. Then, click OK.
  • After the System Restore completes, your computer will be rebooted, and you will see a screen that contains information confirming that the system restore has been successfully done.

Windows8 iconFor Windows 8:

  • Right click the bottom left corner of your computer screen, and click Control Panel.

Control Panel

  • Locate view by and select Category. Find and click System and Security and then click System. In the open window, find and click on Advanced system settings.

restore system windows8_1

  • A small window will pop up. Under system Protection tab, click on System Restore.

restore system windows8_2

  • Then click Choose a different restore point.

restore system windows8_3

  • Now select a restore point and click Next.

restore system windows8_4

  • Click Finish.

restore system windows8_5

  • Click OK when a small dialog box appears. Then the System Restore will start.

restore system windows8_6

  • When the System Restore is done, your computer will be restarted itself. Then, you will receive a message as shown below on your desktop. Click Close.

restore system windows8_6


How to Decrypt and Restore the Encrypted Files?

Once you have successfully removed the ransomware, you can try decrypting and restore the files encrypted by the ransomware. We are not sure that all the methods introduced below are helpful. But you still can have a try before you make the payment.

Method 1: Decrypt the Files by Using Kaspersky’s RannohDecryptor

Kaspersky Labs has developed a decryption tool to decrypt files encrypted by CryptXXX. But unforunately, this tool is only effective when your computer gets infected by the CryptXXX versions 1.0 and 2.0. The version 3.0 of the ransomware has been added new capabilities including network share encryption, which makes it ineffective for the decryption tool to decrypt the files.If your computer is attacked by the latest version of the ransomware, you have to wait and see if Kaspersky can update their decryptor.

Download link for Kaspersky’s RannohDecryptor:

http://media.kaspersky.com/utilities/VirusUtilities/EN/rannohdecryptor.exe

Visit here to learn how to decrypt files with RannohDecryptor:

http://betanews.com/2016/04/27/remove-cryptxxx-ransomware

Method 2: Use File Recovery Software

If Kaspersky’s decryption tool cannot help you, then you can try using the following file recovery software to recover some of your original files:

Method 3: Use Shadow Volume Copies

See how to easily restore your deleted or modified files using Shadow Copies.

Method 4: Backups

If you luckily have a backup of the encrypted files, then you can restore them easily. Check here to learn how to restore files from a backup.

Have you successfully remove the ransomware and restored your files? If your answer is yes, then congratulation to you! If not, don’t be upset. There is always a way. Maybe Kaspersky’s new decryption tool will be released tomorrow. But no matter your problems have been solved or not, don’t forget to safeguard your PC with a reliable anti-malware program so as to avoid future infection. A simple action will save you much trouble. It is highly recommended that you install SpyHunter on your PC. It can not only help protect your PC from malware attacks, but also detect and clean all types of threats from your system. Click the button to download this tool on your PC right now!

Downloadspy

 

Attention:

The following video offers a complete guide for CryptXXX Ransomware removal. You’d better watch it in full-screen mode!

Share Button