Remove CryptoGod Ransomware

How to Remove CryptoGod Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

Your Personal Files has been Encrypted and Locked
Your documents, photos, databases and othe important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of CryptoGod will not restore access ti your encrypted files.
Frequently Asked Questions
What happened to my files ? understanding the issue
How can i get my files back ? the only way to restore your
What should i do next ? Buy decryption key
Now you have the last chance to decrypt your files.
1. Buy Bitcoin (
2. Send amount of 0.03 BTC to address: 1JC2xyroJXvtFtxW6s5fM89Dke5geqCAep
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at
Click here to restore and recovery your files

is a metal band from Indonesia. It seems to have given cyber crooks some inspiration for their newest infection. The CryptoGod Ransomware is considered to be a variant of MoWare H.F.D. file-encrypting virus which is related to the HiddenTear Ransomware project. Long story short, you’re stuck with one notoriously problematic, aggressive and deceptive program. There is a reason why PC users dread ransomware. Plenty of reasons, actually. Unlike other types of infections that use subtle ways to get your money, ransomware is straightforward. It directly demands that you pay a certain ransom in order to free your files. Yes, the CryptoGod Ransomware encrypts your data. It firstly scans your machine thoroughly and locates the target information. That means the ransomware finds all your photos, music files, documents, presentations, videos. Do you keep backup copies of your files? In the future, you definitely should. The most efficient method to prevent the damage ransomware is capable of, is to protect your data. You have to think in advance and make sure no file-encrypting virus plays mind games with you again. CryptoGod Ransomware uses the complicated AES-256 encrypting algorithm. The parasite renames your files and adds a malicious extension to them. If you see the .payforunlock extension, this is it. Your important, precious data has been encrypted and is no longer accessible. That means you won’t be able to open or view or use any of your files. We assume you have some quite valuable files on your own computer. They get locked as well. In fact, hackers are actively trying to encrypt your most important, favorite files. Ransomware is nothing but a nasty attempt for a scam and you can probably see the pattern already. Thanks to the parasite’s encrypting cipher, your data is unusable. Its default format gets modified so the PC cannot recognize the new format. In addition, CryptoGod Ransomware drops some detailed payment instructions. You will notice the ransom notes in all folders in which some files have been locked. It goes without saying those are indeed a lot of folders. In order to prevent getting involved in a fraud, ignore these malicious messages. Following hackers’ instructions is anything but a good idea.

How did I get infected with?

This nuisance gets executed via an .exe file named  Ricevuta 25-05-2017. How did it end up on your computer? Well, most ransomware infections travel the Web via fake email-attachments. As you could imagine, this is a particularly stealthy technique. All you have to do is be careless enough to open a random email. Voila. If you’re unlucky, you’ll download a various pile of parasites that way. Is clicking anything you receive worth the risk? Instead of letting hackers compromise your safety, delete all suspicious emails/messages. Crooks might present their malware as job applications or other perfectly safe emails. You should know better than to click them open, though. We would recommend that you also avoid unverified websites and/or illegitimate programs. Pay extra close attention to the software you install when it comes bundled. This is yet another famous malware infiltration tactic. Note that file-encrypting programs also use exploit kits and fake torrents to travel the Web. Always be cautious online. It will take you much more time and effort to remove a virus than to prevent installation. Make sure you protect your computer from secretive, harmful programs. Last but not least, keep an eye out for bogus program updates and third-party pop-up ads.

remove CryptoGod

Why is CryptoGod dangerous?

The developers of CryptoGod Ransomware are supposed to free your files after you pay. It’s crystal clear that they have no intention of doing that, though. You see, ransomware allows hackers to gain effortless, illegal profit online. Crooks do offer you a deal but there’s no guarantee they will keep their end of the bargain. Instead, paying could significantly worsen your already bad situation. You may still remain unable to use your files and lose money. The ransom is rather humble – crooks demand 0.03 Bitcoins which equals 77.77 USD at the moment. Unless you make the payment immediately, the ransom is said to increase. What you have to remember is that every single cent crooks gain will be invested in creating more infections. You’d become a sponsor of cyber criminals which is probably not your goal. Forget about the bogus decryptor hackers promise and get rid of the ransomware. Please follow our detailed manual removal guide down below.

CryptoGod Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover CryptoGod Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with CryptoGod encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate CryptoGod encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment