Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, August 5, 2015

Files Encrypted *.crypt Extension Ransomware Removal Guide

Tell your friends:
Files with .crypt extension are encrypted by ransomware from the Ransom:Win32/Troldesh family. In case you are wondering why all your files have "CRYPT" file format and you can't open them I have bad news for you - your computer is infected with ransomware. This particular ransom virus encrypts files and inserts contact information in a file name, for example !____________DESKRYPTEDN81@GMAIL.COM.crypt or ! Cyber criminals give email addresses (yours might be different) and hope that you will contact them to get further information on how to decrypt your files. Thanks to our lives virtually being played out online, cyber criminals have a whole host of people to choose from to scam, phish, extort, scare and wreak havoc upon. They also employ increasingly sophisticated methods to con us out of our data, identity and money. And the myriad of applications, files, tools and programs that we are constantly downloading means they have even more ways to infiltrate our computers.

Why you need to be aware of .crypt ransomware

It is a type of malicious software that you really need to be aware of. Unlike some malware which only has one line of attack, ransomware can have a very real and detrimental effect on you thanks to its modus operandi which is to not only cause mayhem on your computer and to your files, but also to attempt to extort money from you. So how does this ransom virus infect you and what does it actually do to you and your computer?

If you ever thought that, as a regular person, you were immune to the horrors of being kidnapped we hate to break it to you that, while you might get bundled into the back of a van with blacked out windows by leather glove clad thugs, you do stand a fair chance of being a victim of a virtual kidnapping by way of your PC.

Ransomware's MO

In a nutshell, it infects your computer, encrypts your files, appends .crypt extension, inserts contact information and holds your files or data to ransom and then demands a sum of money from you in lieu of their release.

What will likely happen is that while you're using your computer it will suddenly freeze and an on-screen message will appear telling you that you have been hijacked. And if that wasn't panic inducing enough, many ransomware programs also make this 'ransom note' look as if it has been sent either by your local police force or even from a government body such as the FBI. Official wording and logos will add additional authenticity dialling the fear factor up even further. So exactly WHY is the 'FBI' holding your data hostage? The warning will tell you it is because you are guilty of visiting illegal or banned websites, or viewing or downloading illicit, pirated or sensitive files or content. Once the fine has been paid the 'FBI' will unfreeze your PC. Of course, your ransom note can be completely different or the particular variant that you have on your computer may not even have a ransom note. Sometimes, an email address in a file name like DESKRYPTEDN81@GMAIL.COM.crypt is more than enough.

Obviously this would cause even the most level headed among us to at least momentarily panic. Is it possible that you might have accidentally visited a website with dubious content? What about that TV show you downloaded – was that an illegal act? Chances are you don't want to take any risks – or perhaps you have recently looked at an x-rated website and are embarrassed. Should you just pay the fine and be done with it? Absolutely not! Unless, of course, your files are very important and you can't afford losing them. But it's always a good idea to try a few data recovery tools before paying the ransom.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .crypt. But before restoring your files, please remove the ransomware and related malware files from your computer. Otherwise, you will simply waste your time. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing .crypt extension ransomware and related malware:

Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by .crypt extension virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Try the TeslaCrypt Decryption Tool by Cisco. Download TeslaDecrypt tool and run it.

Method 4: Try the TeslaDecoder Decryption Tool. Download TeslaDecoder tool and run it.

Method 5: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Andrea Pappina said...

Hi, I have been hit from ransomware virus. A variant of win32/Kryptik.DYWB
Now I have all the data file with .crypt like in your removal guide. I have no key.dat and no bitcoin address. Someone can help me? thanks

Admin said...

Hi Andrea, use Shadow Explorer to recover your files. You can also try Recuva.