Crysis Ransomware [Updated]

Also Known As: CrySis virus
Distribution: Low
Damage level: Severe

Crysis virus removal instructions

What is crysis?

Crysis is ransomware-type malware mostly proliferated using deceptive e-mail messages containing infectious attachments and fake software updates (Java, Flash player, etc.) After successful system infiltration, virus-encoder encrypts files stored computers, and depending on the variant, adds: .write, .java, .cobra, .onion, .{mailrepa.lotos@aol.com}.CrySiS, .{TREE_OF_LIFE@INDIA.COM}.CrySiS, .CrySis.locked, .kraken, .darkness, .nochance, .oshit, .oplata@qq_com, .relock@qq_com, .crypto, .helpdecrypt@ukr.net, .pizda@qq_com, .dyatel@qq_com, _ryp, .nalog@qq_com, .chifrator@qq_com, .gruzin@qq_com, .troyancoder@qq_com, .encrytped, .cry, .AES256, .enc or .hb15 extension. Furthermore, this malware generates a unique user ID with '[email protected]' appended to each encrypted file name (for instance, if the unique ID is 6843158791, the file name of 'pcrisk.jpg' will be changed to '[email protected]'). Note that the desktop wallpaper of the infected system is changed to an image containing payment instructions.

Update 14 November, 2016 - Master keys of the Crysis ransomware have been published. Security experts have developed a decrypter for this ransomware. Victims of this ransomware should not pay the ransom and decrypt their files for free. You can download Kaspersky's Rakhni Decrypter HERE.

virus-encoder decrypt instructions

Another variant of virus-encoder ransomware:

virus encoder variant 2

Yet another variant of virus-encoder ransomware (creates a ransom demand message in the ‘How to decrypt your files.txt’ file and instructs users to contact cyber criminals via email addresses provided - redshitline@india.com or redshitline@aol.com):

redshitline india ransomware

Screenshot of Crysis ransomware pop-up message demanding to pay a random in order to decrypt files:

crysis ransomware pop-up amanda sofostindia.com

Here’s a list of email addresses associated with Cyber criminals behind Crysis ransomware: cryptoblazer@asia.com, webmafia@asia.com, amanda_sofost@india.com, gcaesar2@aol.com, alex-king@india.com, bitcoinpay@india.com, bitcoinrush@aol.com, drew_ranger@india.com, grand_car@aol.com, Drow_ranger@india.com, opencode@india.com, a_princ@aol.com, DIGITALKEY2@163.com, quentin77@163.com, supermanluter@aol.com, supportfriend@india.com, calipso.god@aol.com, helphomeless@india.com, Space_rangers@aol.com, Ceri133@india.com, Melme@india.com, Milarepa.lotos@aol.com, Batman_good@aol.com, f_tactics@aol.com, diablo_diablo2@aol.com, legioner_seven@aol.com, donald_dak@aol.com, seven_legion@aol.com, Meldonii@india.com, Opencode@india.com and last_centurion@aol.com

This desktop wallpaper contains a message stating that files can only be decrypted using a private key. Users are encouraged to contact the developers of virus-encoder to receive this key by paying a ransom. Fortunately, a tool called 'RakhniDecryptor' is capable of decrypting files affected by virus-encoder. This decryptor can be downloaded from the official Kaspersky site (direct download link). RakhniDecryptor attempts to brute force the encrypted file's password, which is later used to decrypt the remaining files. Due to its simple user interface, RakhniDecryptor is easy to use - see the detailed instructions. This process can take a few hours or even days, however, you should never contact the developers or pay the ransom demanded - this is equivalent to sending your money to cyber criminals and you will support their malicious business. Furthermore, there is no guarantee that your files will ever be decrypted.

Threat Summary:
NameCrySis virus
Threat TypeRansomware, Crypto Virus, Files locker
SymptomsCan't open files stored on your computer, previously functional files now have a different extension, for example my.docx.locked. A ransom demanding message is displayed on your desktop. Cyber criminals are asking to pay a ransom (usually in bitcoins) to unlock your files.
Distribution methodsInfected email attachments (macros), torrent websites, malicious ads.
DamageAll files are encrypted and cannot be opened without paying a ransom. Additional password stealing trojans and malware infections can be installed together with a ransomware infection.
Removal

To eliminate CrySis virus our malware researchers recommend scanning your computer with Spyhunter.
▼ Download Spyhunter
Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Ransomware viruses similar to virus-encoder (for example, HELP_YOUR_FILES, Shade, CTB Locker, etc.) are often distributed using fake software updates, P2P networks, and infectious e-mail attachments. Although files affected by virus-encoder are decryptable, those encrypted by other ransomware often remain impossible to decrypt. These viruses present a strong case for maintaining regular backups of your files. Furthermore, you should be cautious when opening suspicious e-mail messages and downloading files from untrusted sources. Use a legitimate anti-spyware/anti-virus suite and keep all installed software up-to-date.

Text presented in the virus-encoder's desktop wallpaper:

Attention! Your computer has been attacked by a virus-encoder! All your files are now encrypted using cryptographically strong algorithm. Without the original key recovery is impossible. To get the decoder and the original key, you need to email us at - Our assistance i not free, so expect to pay a reasonable price for our decrypting services. No exceptions will be made. In the subject line of your email include the id number, which can be found in the file name of all encrypted files. It is in your interest to respond as soon as possible to ensure the restoration of your files. P.S. only in case you do not receive a respons from the first email address within 48 hours, please use this alternative email address: dalailama2015@protonmail.ch

If you believe virus-encoder may have affected files stored on your Network Drives, edit RakhniDecryptor's parameters:

RakhniDecoder's settings

Check the 'Network Drives' option (unless you are 100% sure that all of your files will be decrypted, you should never place a checkmark in the 'Delete crypted files after decryption' option):

RakhniDecryptor's parameters

Update 19 May, 2017 - Security researchers from Avast have developed a free decrypted for Crysis ransomware (.wallet and .DHARMA) versions. If you files are encrypted by this ransomware and your files have .wallet or .DHARMA extensions appended to them you can download this decrypter HERE.

crysis ransomware decrypter by Avast

Virus-encoder ransomware removal:

Instant automatic removal of CrySis virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of CrySis virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click the "Troubleshoot" button, then click the "Advanced options" button. In the advanced option screen click on "Startup settings". Click the "Restart" button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the virus-encoder virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the virus-encoder ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining virus-encoder files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of virus-encoder are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by virus-encoder you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as virus-encoder.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises such attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove virus-encoder ransomware:

Carlos Mario Ramirez

Hellow did you find any solution for .Crysis encripted files??

William

Hi, I tried this solution with encrypted files but does not work .Crysis: encrypted unsupported file type. Any solution?

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global virus and spyware activity level today:

Medium threat activity
Medium

Increased attack rate of infections detected within the last 24 hours.

QR Code
CrySis virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of CrySis virus on your mobile device.
We Recommend:

Get rid of CrySis virus today:

▼ REMOVE IT NOW with Spyhunter

Platform: Windows

Editors' Rating for Spyhunter:
Outstanding!

[Back to Top]

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.