Written by Tomas Meskauskas
Damage level: Severe
Cryptorbit "Your personal files are encrypted!" removal instructions
What is Cryptorbit?
The Cryptorbit ransomware virus infiltrates users' computers using infected email messages and P2P networks. After successful infiltration, this malicious program encrypts files (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) stored on users' computers and demands payment of a 0,5 BTC (Bitcoins) ransom in order to decrypt the files. At time of writing, 0,5 BTC was equivalent to approximately $400 USD. This ransomware is identical to a previous variant named Cryptolocker. PC users should be aware that, whilst the infection itself is not complicated to remove, decryption of files affected by this malicious program is impossible without paying the ransom. At time of research, no tools or solutions capable of decrypting files encrypted by Cryptorbit were available.
Immediately following infection of the user's operating system, this ransomware contacts a command-and-control server and generates a public key used to encrypt the data. After successfully encrypting the detected files, Cryptorbit displays a message (screenshot below) explaining how users may retrieve their files. Note that the private key, capable of decrypting the files, is stored within Cryptorbit's command-and-control servers, which are managed by cyber criminals. The best way to deal with this ransomware is to eliminate it from your computer and restore the affected files from a backup.
The existence of ransomware infections such as Cryptorbit are a strong argument to maintain regular backups of your stored files. Note that paying the ransom as demanded by Cryptorbit is equivalent to sending your money to cyber criminals - you will support their malicious business model, and moreover, there is no guarantee that your files will be decrypted. To avoid system infection by ransomware, express caution when opening email messages, since cyber criminals use various catchy titles in order to trick PC users into opening the infected attachments. Examples include, "Voice Message from Unknown", "Important - attached form", "Payroll Invoice", "New contract agreement", etc. Recent research shows that cyber criminals also use P2P networks in an attempt to trick PC users into downloading Cryptorbit.
Message presented by the Cryptorbit ransomware virus:
YOUR PERSONAL FILES ARE ENCRYPTED
All files including videos, photos and documents, etc on your computer are encrypted. Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files. In order to decrypt the files, open site 4sfxctgp53imlvzk.onion.to/index.php and follow the steps below: 1. You must download and install this browser: torproject.org/projects/torbrowser.html.en 2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion/index.php 3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Screenshot of "Cryptorbit Decryptor":
Note that at time of writing, there were no known tools able to decrypt files encrypted by Cryptorbit. We will update this article as soon as there is more information regarding the decryption of the compromised files.
- What is Cryptorbit?
- STEP 1. "Cryptorbit" virus removal using safe mode with networking.
- STEP 2. "Cryptorbit" ransomware removal using System Restore.
Cryptorbit virus removal:
Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on the "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account that is infected with Cryptorbit Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the ransomware virus infiltrating your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Cryptorbit files.
To restore the individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system.
To restore a file, right-click on it, go into Properties and select the Previous Versions tab. If the selected file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of this ransomware disable Safe Mode, making its removal more complicated. For this step, you require access to another computer.
Other tools known to remove the Cryptorbit ransomware virus: