Remove Cr1ptT0r Ransomware Virus (+File Recovery)

How to Remove Cr1ptT0r Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

If you are here, then probably all your files are encrypted!
Decryption keys are available for sale. Individual file decryption is also available. The first file is decoded for FREE to prove that decryption is possible.
The private key used to encrypt files is created on our secure server. Without this key it is impossible to decrypt any file.
The public key (user ID) is stored in each file so that you can match the device with the correct key pair.The only thing needed to restore all the files is any encrypted file sent to us via the instant messenger.
The list of encrypted files is stored on the device in a text file named “_cr1ptt0r_logs.txt”.
Contact us through OpenBazaar chat or one of the following ways:
the tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F
bitmessage: the BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
If there are any problems with the website OpenBazaar or desktop application, the payment is completed through a messenger.
Customer support is fast and we guarantee full data recovery after payment.
Best wishes from Cr1ptT0r team.

Cr1ptT0r Ransomware is yet another cryptovirus. This menace sneaks into your system and wrecks everything. It alters settings, corrupts essential directories, modifies the registry. The virus spreads its roots around your entire system and starts its malicious processes. This virus follows programming corrupt the user-generated data. The ransomware scans your HDD and detects your files. Pictures, music, databases, presentations, documents, archives. The virus identifies your precious files and locks them with strong encrypting algorithms. Cr1ptT0r Ransomware does not change the name of the corrupted files, neither does it add additional extensions. When it’s done with the encryption, the virus drops two text files (“_FILES_ENCRYPTED_README.txt” and “_cr1ptt0r_support.txt”). The first file lists the hackers’ demands. As for the other: It contains a link which redirects you to a Tor website. This link is supposed to be used in cases when the users don’t know how to proceed with the decryption. The Tor website allows the hackers to execute shell commands, and thus control your browser remotely. Of course, you first need to buy their help. The threat actors demand the astonishing 0.3BTC (about $1200USD). They also offer single-file decryption for $19.99. The hackers give you options. Before you take action, though, bear in mind that these people cannot be trusted. They are cybercriminals who are known for double-crossing their victims. Do not test your luck. Don’t become a sponsored of criminals. Your best course of action is the immediate removal of Cr1ptT0r.

How did I get infected with?

Cr1ptT0r uses vulnerabilities in out-of-date D-Link DNS-320 equipment. The latest firmware update for DNS-320 is from 2016 and since then, it has proven itself to have multiple vulnerabilities and bugs. Hackers often take advantage of such unprotected devices and use them for malicious operations. Cr1ptT0r is just the latest example of how a small vulnerability can cause serious trouble. The Internet is a dangerous place. You can never know where a virus might strike from. So don’t ever let your guard down. The parasites prey on your naivety and carelessness. They succeed when you toss caution to the wind. Do not make their job easier! Even a little extra attention can spare you an avalanche of problems. Keep your software up to date. Download programs and updates from reliable sources only. When available, use the advanced/custom setup option. And be very careful with your inbox. The good old spam messages are still the number one cause of virus infections. Bear in mind, however, that the cause might be the same, but the scheme is different. The crooks no longer rely on malicious attachments. They use them, but they also embed corrupted links. You can infect your PC with just one click. Do not act that recklessly. Threat all unexpected messages as potential threats. Always take a minute to verify the senders!

Why is Cr1ptT0r dangerous?

Cr1ptT0r is a complete and utter menace. It locks your files and prevents you from creating new ones. That’s right! The virus locks everything you save. Your pictures, videos, databases, everything you have is corrupted and unacceptable. Your PC is useless. Well, you can use it to browse the Web, but that is quite limited. You cannot trust your infected device. Even though the hackers behind Cr1ptT0r claim that they are interested in the payments, they don’t guarantee your privacy. Their nasty virus might be spying on you, recording your every move. The virus is a nightmare. It pushes you to pay the ransom. Do not swing into action, though. The threat actors demand Bitcoin. This currency is untraceable. No one can help you get your money back if something goes wrong. And that’s inevitable. Practice shows that the hackers tend to ignore the victims once they receive the payment. There are cases where the victims paid, only to be blackmailed for more. There are also instances where the victims received partly working keys. Do not test your luck. You cannot win a game against hackers. Your best and only course of action is the immediate removal of the virus. Find where Cr1ptT0r lurks and delete it upon detection.

Cr1ptT0r Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Cr1ptT0r Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Cr1ptT0r encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Cr1ptT0r encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.