Cry36 ransomware is a virus that encodes files using cryptographic ciphers and is a unique version of the CryptOn ransomware. Once your computer is infected, it then scans all the system folders for important files and encrypts them with specific file extensions. After it encrypts all the targeted files, it adds a particular string to the files’ names. The new file extension contains your ID, the cyber criminals’ email address and random four characters of file extensions. Which consist of the following file extensions:
-
.id-2559797930_[[email protected]].a97rq;
-
.id-1163283255_[[email protected]].aj29p;
-
.2271021857_[[email protected]].be87r.
What makes Cry36 ransomware somewhat unique from other CryptOn ransomware like Cry128 or Cry9 is that after it encrypts the files, the encrypted files are 32 bytes larger compared to their original sizes. Once the encryption process is completed, the ransomware creates a text file named ###DECRYPT MY FILES ###.txt. The text file contains the ransom note as well as the instructions on how to recover the encrypted files. Below are some parts of the ransom note:
“***ALL YOUR WORK AND PERSONAL FILES HAVE SEEN ENCRYPTED***
To decrypt your files you need to buy the special software. To recover data, follow the instructions! You can find out the details/ask questions in the chat:
https://[EDITED].onion.lo (not need Tor)
https://[EDITED].onion.cab (not need Tor)
https://[EDITED].onion.nu (not need Tor)
You ID: [8 RANDOM CHRACTERS]
[INSTRUCTIONS HOW TO INSTALL THE TOR BROWSER]
// If you have any problems Installing or using, please visit the video tutorial [LINK TO YOUTUBE]”
As you can see, it does not state the amount of ransom it demands from its victims to get the decryptor but it suggests contacting the email address provided to get the payment instructions. As of this moment, the known email addresses are, [email protected], [email protected], and [email protected]. The criminals will demand you to provide your ID when you email them and will provide you the links to a .onion website which has a chat box that is used to communicate with these crooks. However, no matter how desperate you are, don’t contact them and give in to their demands. You should have known better than to trust cyber criminals. And besides paying them won’t guarantee the recovery of your files. Moreover, this article will also help you out in getting rid of the severe threat that is Cry36 ransomware. We will also be providing you a way to recover your files without spending money so just continue reading to know more about this ransomware.
Almost all ransomware-type of infection have common ways to distribute the infection. Some of them might revise some part of their distribution strategies, but in the end, it’s all the same. In the case of Cry36, it is usually spread by sending out spam emails with corrupted attachments. They’ve even upped their spam emails by disguising them as somewhat important email messages as a bait to pique your curiosity to open and download the attachment. That’s why if you download attachments from unknown senders, you have to scan them first using a reputable antivirus and anti malware program like SpyRemover Pro to prevent infections like Cry36 from getting in to your computer.
As promised, here are the steps you can try to eliminate Cry36 ransomware from your computer as well as how to recover your encrypted files.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the any suspicious processes that can be related to the Cry36 Ransomware
.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Find Cry36 ransomware or any suspicious program and then Uninstall.
Step 3: Open System Configuration by clicking the Windows button and typing in msconfig and pressing Enter. Go to Startup and unmark items with unknown manufacturer.
Step 4: Open the File Explorer by pressing the Windows key + E.
Step 5: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to the Cry36 ransomware.
-
%USERPROFILE%\Downloads
-
%USERPROFILE%\Desktop
-
%TEMP%
Step 6: Look for the malicious executable file that could be related to Cry36 ransomware
Step 7: Right-click on it and click Delete.
Step 8: Empty the Recycle bin.
Step 9: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 10: After loading the Command Prompt type cd restore and hit Enter.
Step 11: After cd restore, type in rstrui.exe and hit Enter.
Step 12: A new window will appear, and then click Next.
Step 13: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Cry36 Ransomware.
Step 14: A dialog box will appear, and then click Next.
Step 15: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the Cry36 Ransomware.
Step 16: Try restoring your encrypted files using Windows Previous Versions feature.
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if the Cry36 Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.