Remove Cry128 Ransomware and Recover Files

How to Remove Cry128 Ransomware?

Cry128 is a member of the CrypON ransomware family. The ransomware infection is probably the most serious one. This virus sneaks into your machine and wrecks havoc. Cry128 used the strong AES-128 encrypting algorithm to lock your files. Typically, it also uses RSA-1024 algorithm to secure the decryption key. It works in complete silence. Once on board, Cry128 will scan your HDD and encrypt all target files. All this will happen in the background. You may not notice it. If you pay close attention to your Task Manager, you may notice some unknown processes or that your CPU load is high. The more files you have, the more time it will take for them to be encrypted. Hence, the better the chance you notice something. If you suspect that something is wrong with your PC, take immediate measures. Cry128 renames the encrypted files. It adds the following extensions: .id__[URL_onion]._ or .id__[URL_onion].63vc4. Thus, if you have a file named example.png, the virus will rename it to . Once the encrypting process is finished, Crypt128 will notify you about its presence. The ransom note is not typical, however. It is not the detailed description one would expect. Instead, the ransom note contains URL addresses where the actual ransom note can be found. Cry128 can encrypt over ninety types of files. The virus keeps your files as hostages and demands ransom. It seeks 0.15 Bitcoins (about 250USD). In exchange, the crooks promise a decryption tool. These people will try to scare you. They want you to act impulsively. Don’t panic! Take your time. Consider the situation carefully. Hackers are not the only ones who work on ransomware. Security researchers developed decryption tools. It is worth the try. Maybe, some free app will be able to remove your problem.

How did I get infected with?

Cry128 is actively spreading since April 2017. To penetrate into your computer, this ransomware uses a Trojan horse. Once you are infected, the Trojan will enable a remote desktop control. Everything else is a piece of cake. The hackers will force the ransomware on your PC. Crooks rely on massive spam email campaigns to distribute their dangerous programs. How many times have you heard not to open emails from strangers? Well, stop doing it already. Trojans can be disguised as anything. Invoices, job applications, great deals, etc. Your computer’s security is your responsibility. Check the sender’s contacts before you open a questionable letter. You can do so by entering the questionable email address into some search engine. If it was used for shady business, someone must have complained. This method is now flawless, so, double check everything. If you received an email from an organization, visit their official website. There, you will be able to find their authorized email addresses. Compare them with the one you have received a letter from. If they don’t match, delete the spam message immediately. Other malware distribution methods include corrupted links and ads, torrents, and fake software updates. Your vigilance can prevent infections. However, don’t neglect your anti-virus software. Keep it up to date.

Remove Cry128

Why is Cry128 dangerous?

This menace demands money for your own files. This fact is rather hard to swallow, isn’t it? You should not accept this. Don’t negotiate with criminals. These people want your money. However, they may not be able to provide a working decryption tool. Be rational. You can’t win a game against crooks. Cry128 has deleted all your system restore points. You can’t use shadow copies to restore your files. After a ransomware attack, there aren’t many things you can do. You can try some of the free decryption tools or discard your data. We recommend against paying the ransom. Whatever you decide, clean your machine first. The file decryption won’t remove the virus itself. If you restore your files without deleting the virus, your newly restored files will be re-encrypted. Don’t risk it. Use a trustworthy anti-virus program and clean your machine. Or follow our guide and do it manually. Don’t waste time. Act now!

Cry128 Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Cry128 Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Cry128 encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Cry128 encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment