What is CryptON ransomware? And how does it carry out its attack?
CryptON ransomware is a file-encrypting virus that uses the [email protected] extension in marking its encrypted files. According to security experts, CryptON ransomware is a variant of Nemesis ransomware. Its ransom note is contained in an html file where victims are urged to pay the ransom amount between 100 to 1000 US dollars in Bitcoin crypto-currency.
Once it is able to infect a system, CryptON ransomware will make entries in the Windows Registry so it could launch and repress processes in the Windows environment. Some entries are also modified so that the crypto-malware can be launched automatically with each start of the infected system. After these changes are made, CryptON ransomware will begin to search the infected system for its targeted files which according to researchers, are files with the following extensions:
.PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG
During the encryption process, CryptON ransomware applies the AES encryption algorithm in locking the files. After the encryption, it will display its ransom note in an html file that states:
“All files are encrypted!
CryptON Ransomware
To decrypt the files you need to purchase special software <>
Restore the data, follow the instructions!
You can learn more / request e-mail:
[email protected]
You can learn more/questions in the chat:
http:// cryptxf3zamy5kfz.tor2web.link (not need Tor)
https:// cryptxf3zamy5kfz.onion.plus (not need Tor)
https://cryptxf3zamy5kfz.onion (need Tor)
You can learn more problem out bitmessage:
https://bitmsg.me/ BM-2cWzhoNFbjQ3X8pULiWSyKhc6dedQ54zQ1
– If the resource is unavailable for a long time to install and use the terms of reference of the browser:
- + Start the Internet-browser
- + Type or copy the address https://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
- + On the website, you will be prompted to download the Tor browser, download and install it. To work.
- + Connection, click “connect” (using English version)
- + After connecting, open a normal window Tor-browser
- + Type or copy the address https://cryptxf3zamy5kfz.onion in the address bar of Tor-browser and press key ENTER
- + Wait for the download site
// + if you have any problems with installation or usage, please visit the video tutorial https://www.youtube.com/watch?v=gOgh3ABju6Q
Your personal identification ID: [redacted]”
According to the ransom note, have to download the “special software” to recover your encrypted files but you can only do so once you pay the ransom. Thus, paying the ransom wouldn’t be a good idea. The best thing you could do is to eliminate CryptON ransomware and find alternative ways to recover your files without paying anything.
How does CryptON ransomware proliferate?
According to security experts, CryptON ransomware proliferates using a payload dropper that initiates the malicious scripts of this crypto-virus. This malicious script is currently being spread all over the web. In addition, it could also proliferate with the use of spam emails so you have to be careful in downloading any attachments you receive from your emails.
To eliminate CryptON ransomware from your system make sure to follow the removal steps below.
Step 1: Close the program window of CryptON and tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to Processes and look for the malicious process of CryptON ransomware then right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for dubious programs that might be related to CryptON ransomware and then Uninstall it/them.
Step 5: Tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for malicious components of CryptON ransomware and remove them all.
- %TEMP%
- %APPDATA%
- %DESKTOP%
- %USERPROFILE%\Downloads
- C:\ProgramData\local\
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by CryptON ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step 10: Delete the registry keys and sub-keys created by CryptON ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Restore the previous state of your files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if CryptON ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To ensure the removal of CryptON ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.