FacebookTwitterLinkedIn

Cryptorbit ransomware virus - removal and decryption options

Also Known As: Cryptorbit ransomware
Damage level: Severe

What is Cryptorbit?

The Cryptorbit ransomware virus infiltrates users' computers using infected email messages and P2P networks. After successful infiltration, this malicious program encrypts files (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) stored on users' computers and demands payment of a 0,5 BTC (Bitcoins) ransom in order to decrypt the files.

At time of writing, 0,5 BTC was equivalent to approximately $400 USD. This ransomware is identical to a previous variant named Cryptolocker.

PC users should be aware that, whilst the infection itself is not complicated to remove, decryption of files affected by this malicious program is impossible without paying the ransom. At time of research, no tools or solutions capable of decrypting files encrypted by Cryptorbit were available.

Cryptorbit ransomware virus

Immediately following infection of the user's operating system, this ransomware contacts a command-and-control server and generates a public key used to encrypt the data. After successfully encrypting the detected files, Cryptorbit displays a message (screenshot below) explaining how users may retrieve their files.

Note that the private key, capable of decrypting the files, is stored within Cryptorbit's command-and-control servers, which are managed by cyber criminals. The best way to deal with this ransomware is to eliminate it from your computer and restore the affected files from a backup.

The existence of ransomware infections such as Cryptorbit are a strong argument to maintain regular backups of your stored files. Note that paying the ransom as demanded by Cryptorbit is equivalent to sending your money to cyber criminals - you will support their malicious business model, and moreover, there is no guarantee that your files will be decrypted.

To avoid system infection by ransomware, express caution when opening email messages, since cyber criminals use various catchy titles in order to trick PC users into opening the infected attachments.

Examples include, "Voice Message from Unknown", "Important - attached form", "Payroll Invoice", "New contract agreement", etc. Recent research shows that cyber criminals also use P2P networks in an attempt to trick PC users into downloading Cryptorbit.

Message presented by the Cryptorbit ransomware virus:

Cryptorbit
YOUR PERSONAL FILES ARE ENCRYPTED

All files including videos, photos and documents, etc on your computer are encrypted. Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files. In order to decrypt the files, open site 4sfxctgp53imlvzk.onion.to/index.php and follow the steps below: 1. You must download and install this browser: torproject.org/projects/torbrowser.html.en 2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion/index.php 3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.

Screenshot of  "Cryptorbit Decryptor":

Cryptorbit decryptor instructions

Note that at time of writing, there were no known tools able to decrypt files encrypted by Cryptorbit. We will update this article as soon as there is more information regarding the decryption of the compromised files.

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Cryptorbit virus removal:

Step 1

Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu".

Click on the "Troubleshoot" button, then click on the "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account that is infected with Cryptorbit Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the ransomware virus infiltrating your PC).

select a restore point

6. In the opened window click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Cryptorbit files.

To restore the individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system.

To restore a file, right-click on it, go into Properties and select the Previous Versions tab. If the selected file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by Cryptorbit

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of this ransomware disable Safe Mode, making its removal more complicated. For this step, you require access to another computer.

Other tools known to remove the Cryptorbit ransomware virus:

Frequently Asked Questions (FAQ)

How was my computer hacked and how did hackers encrypt my files?

Victims themselves commonly open ransomware executables, as these files are usually presented as or bundled with ordinary software/media. Malware (ransomware included) is primarily proliferated via drive-by downloads, online scams, spam emails and messages, dubious download channels (e.g., unofficial and freeware websites, P2P sharing networks, etc.), illegal program activation tools ("cracks"), and fake updates.

How to open files encrypted by Cryptorbit ransomware?

Ransomware-encrypted files cannot be opened/used unless they are decrypted.

Where should I look for free decryption tools for Cryptorbit ransomware?

If you have experienced a ransomware infection, we recommend checking out the No More Ransom project website (more information above).

I can pay you a lot of money, can you decrypt files for me?

We do not offer such services. In fact, decryption is rarely possible without the cyber criminals' interference. Therefore, third-parties offering paid decryption are likely scams or aim to act as middlemen between victims and criminals.

Will Combo Cleaner help me remove Cryptorbit ransomware?

Yes, Combo Cleaner can scan computers and eliminate detected ransomware infections. Note that while using an anti-virus is the first step in ransomware recovery - security software is incapable of decrypting files.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Cryptorbit ransomware QR code
Scan this QR code to have an easy access removal guide of Cryptorbit ransomware on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.