Cryptorbit Virus

Also Known As: Cryptorbit ransomware, Type: Ransomware, Distribution: High
Damage level Damage level: Severe

Cryptorbit "Your personal files are encrypted!" removal instructions

What is Cryptorbit?

The Cryptorbit ransomware virus infiltrates users' computers using infected email messages and P2P networks. After successful infiltration, this malicious program encrypts files (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) stored on users' computers and demands payment of a 0,5 BTC (Bitcoins) ransom in order to decrypt the files. At time of writing, 0,5 BTC was equivalent to approximately $400 USD. This ransomware is identical to a previous variant named Cryptolocker. PC users should be aware that, whilst the infection itself is not complicated to remove, decryption of files affected by this malicious program is impossible without paying the ransom. At time of research, no tools or solutions capable of decrypting files encrypted by Cryptorbit were available.

Immediately following infection of the user's operating system, this ransomware contacts a command-and-control server and generates a public key used to encrypt the data. After successfully encrypting the detected files, Cryptorbit displays a message (screenshot below) explaining how users may retrieve their files. Note that the private key, capable of decrypting the files, is stored within Cryptorbit's command-and-control servers, which are managed by cyber criminals. The best way to deal with this ransomware is to eliminate it from your computer and restore the affected files from a backup.

Cryptorbit ransomware virus

The existence of ransomware infections such as Cryptorbit are a strong argument to maintain regular backups of your stored files. Note that paying the ransom as demanded by Cryptorbit is equivalent to sending your money to cyber criminals - you will support their malicious business model, and moreover, there is no guarantee that your files will be decrypted. To avoid system infection by ransomware, express caution when opening email messages, since cyber criminals use various catchy titles in order to trick PC users into opening the infected attachments. Examples include, "Voice Message from Unknown", "Important - attached form", "Payroll Invoice", "New contract agreement", etc. Recent research shows that cyber criminals also use P2P networks in an attempt to trick PC users into downloading Cryptorbit.

Message presented by the Cryptorbit ransomware virus:

Cryptorbit
YOUR PERSONAL FILES ARE ENCRYPTED

All files including videos, photos and documents, etc on your computer are encrypted. Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files. In order to decrypt the files, open site 4sfxctgp53imlvzk.onion.to/index.php and follow the steps below: 1. You must download and install this browser: torproject.org/projects/torbrowser.html.en 2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion/index.php 3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.

Screenshot of  "Cryptorbit Decryptor":

Cryptorbit decryptor instructions

Note that at time of writing, there were no known tools able to decrypt files encrypted by Cryptorbit. We will update this article as soon as there is more information regarding the decryption of the compromised files.

Quick menu:

Cryptorbit virus removal:

Step 1

Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on the "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account that is infected with Cryptorbit Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

remover for Cryptorbit virus

If you need assistance removing Cryptorbit Virus, give us a call 24/7:
1-877-484-8393
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. We are affiliated with anti-virus and anti-spyware software listed on this site. All the products we recommend were carefully tested and approved by our technicians as being one of the most effective solutions for removing this threat.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the ransomware virus infiltrating your PC).

select a restore point

6. In the opened window click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Cryptorbit files.

To restore the individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system.

To restore a file, right-click on it, go into Properties and select the Previous Versions tab. If the selected file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by Cryptorbit

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of this ransomware disable Safe Mode, making its removal more complicated. For this step, you require access to another computer.

Other tools known to remove the Cryptorbit ransomware virus:

About the author:

I am passionate about computer security and technology. I have an experience of 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an editor for pcrisk.com since 2010.

Follow me on Google+ to stay informed about the latest online security threats.

Our malware removal guides are free. However, if you want to support us you can send us a donation.