Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Crystal Ransomware

Crystal Ransomware is an unfinished ransomware-type computer infection that was leaked recently, and we have managed to obtain a sample and test it. In its current form, this ransomware is unable to encrypt any files, but our tests have shown that it was configured to encrypt files in a test environment setup by its developers. The sample we have tested did not drop a ransom note, but the finished version will most definitely do that. Removing this ransomware is also not a big problem, so if your computer becomes infected with the full version, then you should be able to delete it manually without too much difficulty. Alternatively, you can use an anti-malware program to deal with this infection.

Once Crystal Ransomware infects a computer, it checks the system if it has already been infected. It creates a Point of Execution (PoE) in HKCU\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run in Windows Registry. The subkey is named “CRYSTAL, ” and its value data is “C:\Users\User\AppData\Roaming\0NgRB.exe.” Note that the main executable named “0NgRB.exe” is set to have a randomized 8-character file name. The main executable file is set to copy itself to %APPDATA% as well as %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Then, the executable connects to localhost at

Once connected, Crystal Ransomware receives commands on what to do. It can flood using UDP, TCP, HTTP protocol. Then, it receives commands to stop flooding get Filezilla credentials and then disable Task Manager (Software\Microsoft\Windows\CurrentVersion\Policies\System |DisableTaskMgr| 0) and Firewall (netsh.exe Firewall set opmode disable, netsh.exe Firewall set opmode enable.) It can also re-enable the Task Manager and Firewall. It downloads executable files from the Internet, get information about the computer and bypass the UAC - user account control.

Testing has shown that it gets Filezilla credentials from %APPDATA%\Filezilla\sitemanager.xml and %APPDATA%\Filezilla\recentservers.xml. It searches for Host, Port, User name and account password. Then, this ransomware bypasses the UAC by executing HKCU\Software\Classes\mscfile\shell\open\command|{link to malicious file}.

Once Crystal Ransomware has completed all of the necessary actions, it starts encrypting files using a unique AES encryption algorithm. Testing has shown that it was set to encrypt files in %userprofile%\Documents, %userprofile%\Picutures, %userprofile%\Desktop, %userprofile%\Downloads, %userprofile%\Music, %userprofile%\Videos, and %userprofile%\OneDrive. It was set to encrypt many files types that include documents, executables, images, videos, audios, and so on. It adds a ".CRYSTAL" file extension as a file-marker. It should generate unique encryption and decryption keys and send the decryption key to its server for storage. If this ransomware were to work properly, then it should drop a ransom note somewhere on your PC. Typically, such infections drop a ransom note in each location where files were encrypted or on the desktop. The ransom note should contain instructions on how to pay the ransom and indicate the sum of money to be paid. Usually, they ask to pay in Bitcoins, but they can also ask to pay in other crypto currencies as well.

In closing, Crystal Ransomware is an unfinished ransomware-type computer infection that will be able to encrypt files on infected computers once it is finished. It is not distributed yet, but it is possible that one of its distribution methods will include email spam that will be sent to random email addresses. As far as its removal methods are concerned, you can use the manual removal guide located below or get an anti-malware program such as SpyHunter to delete it for you.

How to delete Crystal Ransomware manually

  1. Press Windows+E keys.
  2. In the File Explorer’s address box, type %APPDATA% and press Enter.
  3. Locate the randomly-named executable file.
  4. Right-click it and click Delete.
  5. Then, type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  6. Find the randomly-named executable and delete it.
  7. Then go to the folders indicated below and delete the main executable file.
    • %USERPROFILE%\Desktop
    • %USERPROFILE%\Downloads
    • %TEMP%
  8. Locate the executable and delete it.
  9. Close the File Explorer.
  10. Press Windows+R keys.
  11. Type regedit in the dialog box and press Enter.
  12. Navigate to HKCU\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run
  13. Locate CRYSTAL
  14. Right-click it and click Delete.
  15. Empty the Recycle Bin.
Download Spyware Removal Tool to Remove* Crystal Ransomware
  • Quick & tested solution for Crystal Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.