Cryptxxx Ransomware

According to our research, Cryptxxx Ransomware was created using the engine of the infamous CryptoWall ransomware, and so it is not surprising that the ransom notes presented by these threats are identical as well. Were these threats created by the same cyber criminals? While we cannot guarantee this, it is possible. Another interesting thing is that there are several versions of this malicious threat. Not too long ago, this infection was released with a major flaw that allowed file decryption without paying the ransom to cyber criminals. This flaw has been fixed in the newest version of this infection, and we have found it to be stronger overall. Of course, this is not good news for the victims of this devious ransomware. At the moment, a tool that could decrypt the files corrupted by this ransomware does not seem to exist, and it is unsure if and when it will appear. For now, you need to focus on the removal of Cryptxxx Ransomware.

The creators of Cryptxxx Ransomware have been found to use the Angler Exploit Kit to spread it. This is a hacking tool that can be employed to exploit Java and Flash vulnerabilities to infiltrate malicious computer infections. Our researchers have also found that this threat can be downloaded by active Trojans, in which case, a security backdoor for all kinds of malware might be open. In fact, other threats could run along with this ransomware, which might create bigger security issues. Cryptxxx Ransomware is launched with a DLL (Dynamic Link Library) file that can be found within a folder in the %TEMP% directory. Note that this folder’s name is a random CLSID (combination of letters and numbers), and the DLL file has a random name as well (e.g., api-ms-win-system-softpub-l1-1-0.dll). The malicious DLL file is launched using rundll32.exe, a legit file located in %WINDIR%\SysWOW64 or %WINDIR%\System32. Note that this file is renamed to svchost.exe, possibly to make it less noticeable.

Once installed, Cryptxxx Ransomware waits between 15 to 62 minutes (possibly less or more, in some cases) to initiate malicious processes. The time spent in the so-called sleep mode depends on the version of this malicious ransomware. After this, the infection quickly moves to encrypt personal files and lock the screen of your Desktop. Notably, not all versions of this infection will lock the screen; however, if it does, you will be introduced to a screen-size notification informing about what is happening. The notification is represented in English, but the developers of this threat provide a link to translate.google.com, so that computer users speaking different languages could follow their demands as well. These demands urge you to download the Tor browser, visit one of the sites provided, apply a Unique ID number (provided via the notification), and pay a ransom. These cyber criminals have a sense of humor, and they inform you that an alternative would be waiting for a miracle.

According to our researchers, you might be able to disable the locking of your screen by restarting your computer. Tap CTRL+ALT+DEL keys simultaneously, and you should be able to restart the PC. After it reboots, the intimidating notification should disappear. Despite this, your files will remain locked (the ".crypt" extension will be attached to their names), and additional TXT files will be created to present you with the demands of Cryptxxx Ransomware. Although the message in these TXT files is basically identical to the one locking your screen, we have found it to contain grammatical errors. Even if you remove all TXT files and all other files associated with this threat, your files will remain locked, and that is what might push you into paying the ransom.

Hopefully, the files encrypted are not important, or the most sensitive files are backed up, and you can retrieve them after deleting Cryptxxx Ransomware from your Windows operating system. If you pay the ransom – which is risky and unpredictable – you have to erase this infection anyway. The steps below show how to erase this ransomware manually, but you should also consider installing automated malware detection and removal software before making any rash decisions. As mentioned previously, this ransomware could have been downloaded by a Trojan, and other dangerous threats could be active. An automated malware remover can take care of all threats, and we advise implementing it even if you choose to follow the guide below.

Cryptxxx Ransomware Removal

1. Launch Explorer (tap Win+E keys on the keyboard).
2. Enter %Temp% into the address bar.
3. Open the folder with a random CLSID for a name.
4. Right-click and Delete the .dll file with a random name (e.g., api-ms-win-system-softpub-l1-1-0.dll).
5. Delete these files (highlighted) in these directories:
   • %ALLUSERSPROFILE%\[Unique ID].bmp
   • %ALLUSERSPROFILE%\[Unique ID].html
   • %USERPROFILE%\Desktop\[Unique ID].bmp
   • %USERPROFILE%\Desktop\[Unique ID].html
   • %USERPROFILE%\Desktop\[Unique ID].txt