Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, December 17, 2013

Remove HowDecrypt (Cryptorbit) virus and restore encrypted files

Tell your friends:
Update, Dec. 30: 9:20 a.m. PST: it seems there's a new variant of this file encrypting ransomware that drops slightly modified HOWDECRYPT.gif and HOWDECRYPT.txt files on infected computers with different instructions on how to recover your files. File decryption now costs ~$50, ten times less then a few weeks ago. The new howdecrypt image is now titled Cryptorbit, so I assume people will use this name to find more information about the infection. The previous variants didn't have any names associated with them, there were only .jpg and .txt files called HOWDECRYPT. One more thing, cyber crooks urge victims to access their TOR page using tor to web services rather than TOR browser. It's faster, besides, not everyone knows what TOR is. Everything else is pretty much the same. You can't restore encrypted files without your private key. Your best bet would be to use Shadow Explorer as explained below. We'll post new information about this virus here as soon as we can.

Cryptorbit "Your personal files are encrypted"
A slightly modified guide on how to pay the ransom and restore your files.

12/17/13 - Initial guide creation. One of the most unpleasant forms of malware around at the moment is the HowDecrypt encryption virus that encrypts your files and requires a $500 USD, 500 EUR or 0.5 Bitcoin ransom in order to get a decrypter. It attacks your computer and seriously limits or totally disables its functions by encrypting your files. It will them attempt to extort money from you so that your files will be usable again.

Usually, ransomware messages and warnings are incredibly realistic looking and are designed to cause as much alarm and distress as possible – hence the term scareware. Probably the best example of such malware would be the FBI ransomware. However, this variant is similar to CryptoLocker ransomware. It will actually encrypt your files instead of just trying to scare you. Usually, files in almost all the folders are encrypted and two files (a howdecrypt.jpeg and howdecrypt.txt) are added to the encrypted folders, explaining how to pay the ransom.

The contents of the HowDecrypt.txt file:
All files including videos, photos and documents on your computer are encrypted.

File Decryption costs ~ $ 500.

In order to decrypt the files, you need to perform the following steps:
1. You should download and install this browser
2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Guaranteed recovery is provided within 10 days.

Your Personal CODE: 00000001-XXXXXXXX

The decryption page is accessible through the Tor anonymity network using Tor web browser. There's a form where you can to enter your code, email and choose how to pay the ransom, either using 0.5 BTC or by submitting a $500 USD / 500 EUR MoneyPak, PaySafeCard, or Ukash voucher. You just need to make a payment and wait for an email with an attached decrypter that you can use to decrypt your files.Cyber crooks state that guaranteed recovery is provided within 10 days. Multiple users have reported that paying cyber crooks to decrypt the files actually does work. However, this is a self-help guide. Use at your own risk. I can't guarantee you anything.

So what should you do if this happens to you? Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below.

To remove HowDecrypt and restore encrypted files, please follow the removal guide below. If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur,

Step 1: Removing HowDecrypt (Cryptorbit) and related malware:

Before restoring your files from shadow copies, make sure HowDecrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Also, please feel free to call us (toll free) and we'll be happy to help you on the phone.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by HowDecrypt (Cryptorbit) using Shadow Volume Copies:

Before using Shadow Explorer, you can try to decrypt some of your files using RakhniDecryptor.exe and RectorDecryptor.exe from Kaspersky. These tools might help you, but please note that they were not designed decrypt the data encrypted by HowDecrypt virus. However, you can still try them.

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Jdgr said...

Hi. My friend contacted this damn thing. Sadly, some of the affected files were not backed up and could not bw decrypted by either kaspersky's or panda's or either a third decryption software we found(the name eludes me now).it seems though, it is not an encryption but a header "destroyer". We applied a generic jpeg repair software to some files and managed to get back not the full jpegs but at least their thumbnails. Which,to my opinion points away from an encryption. Sadly so far we havent found anything to fully restore the files. I would appreciate it if you posted any relevant news to this post. Thanks and enjoy your holidays

Admin said...


I'm afraid there's no tool to fully restore the files because of the encryption algorithms this malware uses to encrypt the files. Use Shadow Explorer, it's the only tool that actually restores at least some of the files but only if you have your backups in place.

Anonymous said...

I could restore "manually" quite all ms-office 2007 (and above) files, as they are in zip container. Only the root xml file of the data structure is dammaged. You can get it from any same clean office file.
PDF can be restored as well by 3rd party software.
Text and other config files will stay dammaged unless you can restore them from a copy.
All other binary f.ex. autocad files are gone forever, as the thing overwrites more than the header and also the "footer" of files.
This is not encryption as all the crap is the same in all files. Its just destructive overwrite.
Don't contact it. Or make backups.

Anonymous said...

Hello! Hogyan lehet törölnia malwaret? Nekem csak blokkolta, de nem tudom hogyan kell törölni. Program nem ad ilyen funkció: törlés. bye. béla

Marta said...

Hi, would shadow Explorer also help if i have Windows 2003 server?
I'm kind of desperate now...:(
Thank you,

Admin said...

Just give it a try Marta. It might help you.

Anonymous said...

Hello! Its seems that Howdepyct does not allow me to download any anti malware software. After dowloadin : Security scan- The file ...exe has a virus and got deleted. What shall I do? Many thanks in advance.

Admin said...

Try downloading antimalware program in safe mode with networking. Or if you have another PC use it to download antimalware then trasfer it to infected computer using usb flash drive.

Bernhard said...

you suggest to pay, if the files are important? Any proof that 'they' will restore the files? Any proof that they CAN restore the files? I would not be suprised if the files are just destroyed and nobody will respond - why should they..

Admin said...

Bernhard, as I said, I can't guarantee you anything. If the files are very important and you can't restore them in any other way then it's your only bet. Some victims said that after paying for decryption they got files back but of course we can't be sure that they were not lying. If you have doubts, try searching for comments on other sites and forums.

Anonymous said...

Thank you for providing this helpful information. Can't tell you how much I appreciate it - I wanted to put my fist through a wall when my computer first got infected with this thing. Thankfully, I've always kept a backup of my important documents on a USB flash drive. Once the scan is complete and the virus is removed, would it be best to just delete all of the documents on my computer and then just copy my docs back onto my computer from my flash drive? Is there a way to prevent anything like this from happening again?

Admin said...

You are very welcome! Backups are very important, I keep saying this all the time, good to know you understand this. Yes, once you PC is clean you can simply delete the documents on your computer and transfer copies from flash drive. Make sure you PC is fully updated and use reputable antivirus software. Free ones are good but I usually recommend Kaspersky and ESET, these are not free but they are really great. I'm using Kaspersky at the moment.

Anonymous said...

The malware also erased my shadow copies, so there was no available date to prior infection in shadow explorer; no backup for restore also. I guess the only one way for destructed files to recover is "decrypterfixer" 's program that only worked for some of the pictures for mine. I think we, who are miserable without backups need to wait for solutions.

Anonymous said...

One thing not mentioned: the core program seems to exist in a collection of 4 or 5 .DAT files in C/ProgramData. Does not seem to reinfect from affected files. also, just to confirm some things stated in the article for the readers: this *will* infect a mounted network drive, and it will place its 'fingerprint' tags wherever it touches files. It seemed to do all its damage all at once, after some delay from infection. Also, the splash screen was never encountered, although a second monitor was rendered a boring gray wall. the '7zip' .docx archive fix works, but only on the file types listed. More proof that backups are the best prevention. going to simply reimage the system. will psot any updates here.

Anonymous said...

so this terrible thing cougjt with my other computer.
how do i make sure, after doing all you offered, that a computer is clean from the hoedecrypt? and if i move the files to another computer, will it be infected as well?
many thanks...

Admin said...

Run recommended anti-malware tools and they will remove this malware and all the infected files from your computer. I don't think you can remove it manually since it's a rather sophisticated infection.

Manija Omar said...

I have tried using several anti malware programs to try and detect the virus, however nothing picks it up? What can i do?

Chizoba Adigwe said...

Hi, I back up my files with Drop box, but the virus looks like its also corrupted them cause when I try to access my files via another devise, it also seems to be corrupted. Any advise?

Putri Karunia Nazli said...

My important files are in .mov and .aep (after effects) and decrypterfixer doesn't support those file types. Also, those files are in an external harddisk, and there are no previous versions.

Anyone know how to restore those files? I really need those files. Thanks

Anonymous said...

I have just contracted this nasty malware myself. I back up my files up every Monday night to a portable hard drive. These are contained in zip files. I have deleted 'My Documents' completely and want to restore from my back up. I left the drive connected to the machine over night and it appears to have started trying to encrypt files on the drive as well. The 3 telltale files don't appear in my back up folder where my zip files are. A quick test shows that the zip file restores OK and I've tried a couple of files which appear to open OK. Still not sure if I'm OK to restore from this back up as the drive had obviously been hit by the virus. I'm hoping it over looks zip files?
If thats the case, presume I should be OK to do a System Restore and then restore from back up.

I suspect I got this during a request to upgrade Flash player on Saturday. I suspected I had got a virus/problem soon after and did a manual McAfee scan. It found and treated 2 files but the encryption started 2 nights later!
Just not sure I can entirely trust my back up at the moment as I use to restore to another isolated machine each week (which currently has a trusted if 1 week out of date good copy of my files).

Anonymous said...

I got this on a 3tb hard drive and lost most everything. Now I'm burning all my files to data CDs because they can't be infected. I know it's a pain but I also back up to an external drive that is not left connected to any computer except during file transfers AND it's almost never connected to the Internet during transfer. The computer I got this virus on was not used for surfing or anything, only windows, adobe, or java in the heck did I get it???

Admin said...

If it was really never used for surfing then maybe it's already a part of a botnet and cyber crooks who own it installed this virus using malware that is already installed on your computer, most likely Trojan downloader.

Anonymous said...

I have found that after getting this virus most of my files still seem to function normally. Checking the McAfee blog it stated that McAfee users are "protected", however I still had DECRYPT files in most of my folders (Deleted about 480 files on my own) and received the pop-up(s). I had all of my jpg files on a USB external and they appear to work normally as well as my email. From my research I found PST files included in the list of files that could be infected, perhaps I am just lucky. Many x.doc files are unusable now though. I ran malwarebytes and added Spywareblaster. Neither of them found anything related to Crytowall that I could tell so I will look to some of the tools mentioned here.

Dan g said...

is there a way to restore my laptop back to factory settings and delete everything my f11 button doesnt allow me to go to that menu

Anonymous said...

Can you transfer copies of certain emails that have not been encrypted safely to another computer after having been attacked by cryptolocker 3.0 around July 14th?
I can see majority of the individual email files either have nothing in them now, or a bunch of unreadable characters, so I know those got it, but there are some that display perfectly find, so just want to know if I can save these individually and transfer them to another computer so at least I can save some of my mail??
(there are no shadow copies back far enough to restore them that way, and my back up are also not old enough to help)
Just want to make sure I can't transfer the Trojan to the new computer before doing this.

Admin said...

Encrypted files and emails are not malicious, you can copy and transfer them another computer without worrying too much. Although, I would save them in cloud based service rather than another computer.

Admin said...

The same applies to all the files that have not been encrypted.