Cry Ransomware

Also Known As: Cry virus
Distribution: Low
Damage level: Severe

CryLocker ransomware removal instructions

What is Cry?

Cry (CryLocker) is a new ransomware-type virus that stealthily infiltrates the system and encrypts various data types. During encryption, Cry ransomware appends the names of encrypted files with the ".cry" extension (for example, "sample.jpg" is renamed to "sample.jpg.cry"). Thus, it is relatively easy to determine which files are encrypted. Furthermore, Cry creates a folder named "old_shortcuts", places it on the desktop and moves all encrypted files (that were previously placed on the desktop) to this folder. Following successful encryption, Cry creates two files (.txt and .html, named "!Recovery_[6 random characters]") that contain identical ransom-demand messages. These files are also placed on victim's desktop.

Ransom-demand message informs victims of the encryption and states that the files can only be restored using a Cry ransomware decryption kit, however, it is also stated that the decryptor can only be used after paying a ransom of $150. If the ransom is not paid within the given time frame (~100 hours), the size will double to $300. As usual, victims must pay the ransom in Bitcoins. The ransom-demand message contains a link to Cry's website, which provides step-by-step payment and decryption instructions. It also allows victims to decrypt a selected file free of charge, supposedly to prove that decryption is possible. Note that Cry's website contains references and a logo of "Central Security Treatment Organization (Department of pre-trial settlement)", however, there is no such organization. Cyber criminals claim to be authorities and attempt to trick victims into believing that they have violated cyber laws. This is a very effective way to scam unsuspecting users, since a few hundreds dollars is seemingly a small price to avoid punishment and having your files decrypted. In fact, developers of ransomware-type viruses often ignore victims, despite payments made. Therefore, we strongly advise you to ignore all requests to pay the ransom or contact these people. There is a high probability that paying will not deliver any positive result - you will waste your money and receive nothing in return. Unfortunately, there are currently no tools capable of restoring files encrypted by Cry ransomware. Thus, the only solution is to restore your system from a backup.

Screenshot of a message encouraging users to contact the developers of Cry ransomware to decrypt their compromised data:

Cry decrypt instructions

There are dozens of ransomware-type viruses that are virtually identical to Cry including CTB-Locker, Cerber3, Locky, and Chimera - these are just some examples from many. All encrypt files and demand hundreds of dollars in exchange for decryption software and a password. Ransomware-type viruses often use asymmetric encryption algorithms and, thus, the only noticeable difference between them is the size of ransom. In addition, ransomware is commonly distributed using spam emails (malicious attachments), P2P (peer-to-peer) networks (such as Torrent), trojans, and fake software update tools. Therefore, be cautious when opening files received from unrecognized/suspicious email addresses, and when downloading files from third party sources. Furthermore, use a legitimate anti-virus/anti-spyware suite and keep your installed applications up-to-date. Poor knowledge of these threats and careless actions are mostly the reason for system infection. The key to computer safety is caution.

Text presented on Cry website homepage:

Central Security Treatment Organization Department of pre-trial settlement Warning! Your files are encrypted! Your documents, databases, project files, audio and video content and other critical files have been encrypted with a persistent military-grade crypto algorithm!!! To restore the access to your files you need to pay commission for the decryption in amount of $150 (˜0.2727272727272727). Only after the commission is paid in full you will be provided with the special software for the encrypted data recovery. Important In the case of non-payment of the full commission within 4d 4h , the amount of commission will be raised to $300 (˜0.5454545454545454) Attention required Do not take any actions to decrypt your files on your own! This is absolutely impossible and can lead to the encrypted data corruption and, therefore, it can not be recovered in the future! In case of the repeated non-payment of the increased commission during the 4d 4h period, the unique decryption code for your files will be blocked and its recovery will be absolutely impossible!

CryLocker ransomware changes victim's desktop wallpaper with an image containing a ransom demanding message:

crylocker ransomware wallpaper

Screenshot of Cry website "Payment" page:

Cry website payment

Text presented within this page:

Payment procedure How to pay? Payment can only be made using the BitCoin system. BitCoin is the new generation of the decentralized cyber currency that has been created on the Internet and is operating on the Internet only. Emission of the BitCoin currency (BTC) is performed by the work of millions of computers around the world using a program for calculation of mathematical algorithms. Due to this fact, all the payments within the system are open payments but at the same time are completely anonymous for the whole world. So you can be sure that in the case of full payment of the commission, all your files will be decrypted. Please note that BTC currency rate as any other currency rate in the world is not fixed. It tends to increase, therefore we advise you not to delay the BTC currency purchase and payment. How to pay within the BitCoin system? Don't worry, the payment process in the BitCoin system is not difficult and requires few simple steps. BTC wallet you need to transfer the payment to has been set up specially for you and the amount paid can not be lost! You will be able to check all the information about the payments made. Your BTC wallet: 16NSZ676WBVw4t8Gkq5f8hcc3gbk68j3c9 Around the world there is a wide variety of services (see the full list below) allowing to buy BTC currency with cash, classic bank cards (Visa/Mastercard), PayPal, bank transfers and other payment methods. Below you can find the list of trusted BitCoin purchase services. We would like to draw your attention to the fact that these services are not affiliated with us! Most of them are designed for beginners and have prompt support services. Some of these services will set up a personal BTC wallet for you, while others can make a direct transfer to the wallet that has been set up for you on our system. It should be noted that some of the services mentioned can require you to confirm your identity before the BitCoins purchase. IT IS IMPORTANT TO KNOW WHILE MAKING PAYMENTS WITHIN THE BITCOIN SYSTEM! If you need to save, copy, etc your BTC wallet number do not try to write it down by hand! If while making a transaction you type the wrong BTC wallet number, the money will be lost. Therefore, if necessary, print out the BTC wallet number you need or use the QR-code scanner on your smartphone. If you are not confident that you are able to do everything correctly the first time, you can split the full amount of payment in several BTC transactions. As was mentioned above, the BTC wallet you need to make payment to has been set up specially for you. That is why at any time you may see the current balance and the reminder to be paid. Keep in mind that some BTC purchase services have a delay in payment processing. The delay may last from 24 to 36 hours. We therefore recommend you not to put aside the decision of payment until the last moment. Failure to pay on time may result in the increase of the commission amount!!! THE FULL LIST OF SERVICES WHERE YOU MAY BUY BitCoin Currency (BTC)

Screenshot of Cry website "Test decryption" page:

Cry website free decryption

Screenshot of Cry website "Instructions" page:

Cry website instructions

Text presented within this page:

Instructions What to do after the payment is made? How to decrypt all your data? After payment you can download the decryption software from the home page. We guarantee that all your files will be decrypted. Just follow these simple steps: Login to your personal page Copy the decryption key from field on the home page Click "Download decryption software" button and save decriptor_2.0.20.143.exe to your hard disk Run decriptor_2.0.20.143.exe Paste the decryption key into field in the decryption software window Click "Run decryption" and wait for successfull completion of the decryption process IMPORTANT: Don't turn off or reboot your PC before the process is completed! Congratulations! Now all your files are restored!

Screenshot of Cry website "Support" page:

Cry website support

Screenshot of Cry ransomware text file (!Recovery_[6 random characters].txt):

Cry ransomware text file

Screenshot of Cry ransomware html file (!Recovery_[6 random characters].html):

Cry ransomware html file

Ransom-demand message presented in .txt and .html files:

............................ Not your language? Use hxxps:// .............................
............................................ How did this happen? ............................................
=== Specially for your PC was generated personal 4096 bit RSA key, both public and private. All your files have been encrypted with the public key. Decrypting of your files is only possible with the help of the private key and de-crypt program.
................................................ What do I do? ...............................................
=== Don't wait for a miracle and the price doubled! Start obtaining Bitcoin now and restore your data easy way! If you HAVE REALLY VALUABLE DATA, you better NOT WASTE YOUR TIME, because there is NO OTHER WAY to get your files, EXCEPT MAKE A PAYMENT =====
.................................. What should you do with these addresses? ..................................
1. Take a look at the first address (in this case it is hxxp://; 2. Select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. Release the left mouse button and press the right one; 4. Select "Copy" in the appeared menu; 5. Run your Internet browser (if you do not know what it is run the Internet Explorer); 6. Move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. Click the right mouse button in the field where the site address is written; 8. Select the button "Insert" in the appeared menu; 9. Then you will see the address hxxp:// appeared there; 10. Press ENTER; 11. The site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. Run your Internet browser (if you do not know what it is run the Internet Explorer); 2. Enter or copy the address hxxps:// into the address bar of your browser and press ENTER; 3. Wait for the site loading; 4. On the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. Run Tor Browser; 6. Connect with the button "Connect" (if you use the English version); 7. A normal Internet browser window will be opened after the initialization; 8. type or copy the address hxxp://neutx2ll7kh7h7zt.onion in this browser address bar; 9. Press ENTER; 10. The site should be loaded; if for some reason the site is not loading wait for a moment and try again
===== !!! IMPORTANT !!! Be sure to copy your personal ID and the instruction link to your notepad not to lose them. =====

Screenshot of files encrypted by Cry ransomware (.cry extension):

Cry ransomware encrypting victim's files

Cry ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Cry virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Cry ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Cry ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Cry are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Cry, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Cry ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Cry ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Cry virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Cry virus on your mobile device.
We Recommend:

Get rid of malware infections today:

▼ REMOVE IT NOW with Spyhunter

Platform: Windows

Editors' Rating for Spyhunter:
Editors ratingOutstanding!

[Back to Top]

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.