Cyber Security Center

How to delete CRPTD ransomware


CRPTD ransomware is file encrypting malware. It can be recognized from the .CRPTD extension added to all encrypted files. Once file encryption is fully complete, a ransom note Recover files.hta is dropped.

 

Ransomware image 2

CRPTD ransomware, detected by cybersecurity researcher GrujaRS, is malware that encrypts files. Ransomware is considered to be one of the more dangerous infections because it encrypts files and it’s not always possible to decrypt them. Once files are encrypted, users will not be able to open them until they are decrypted. And to decrypt them, a special program is necessary. The cyber criminals behind this ransomware will try to sell victims the decryptor, though the price is not mentioned in the ransom note (Recover files.hta) the ransomware drops. Though it will likely be somewhere between $100 and $1000, as that is usually what ransomware demand.

Paying the ransom to get the decryptor is not a good idea in many cases. Ransomware is tricky business and there are no guarantees that a decryptor would be sent to users who pay, seeing as these are cyber criminals victims are dealing with. Many users failed to receive a decryptor in the past after paying, and there’s always a possibility that the same will happen with this ransomware.

For victims who regularly back up files, there is nothing to worry about as they will be able to easily recover files once they remove CRPTD ransomware from their computers. However, for those who don’t have backup, there aren’t many options left. It should be mentioned that malware researchers often release free decryption tools to help users recover files for free. But it’s not a guarantee for all ransomware. And victims to should be very careful when looking for decryptors as there are many fake ones. Emsisoft, as well as many other anti-virus vendors, and NoMoreRansom are some examples of where safe decryptors can be downloaded from.

Can CRPTD ransomware files be decrypted?

As is typical for ransomware, as soon as it is initiated, it will start file encryption. Photos, videos, documents, and other important files will now be encrypted and have the .CRPTD extension added. For example, image.jpg would become image.jpg.CRPTD. Users will not be able to open files with this extension. Once the encryption process is complete, a pop-up ransom note (Recover files.hta) will appear with the victims’ personal IDs. According to the ransom note, users need to send an email with their assigned ID and 3 unimportant encrypted files to the badbeeteam@mail.ee or badbeeteam@cock.li email addresses. The three files will supposedly be decrypted to prove that they can, and the price for the decryption tool and how to pay will be written in the response.

Here is the full ransom note:

Your personal ID
9-QUDMbtic-X0128C
Your files are encrypted!
To decrypt, follow the instructions below.
To recover data you need decrypt tool.
To get the decrypt tool you should:

Send 3 crypted test image or text file or document to badbeeteam@mail.ee
Or alternate mail badbeeteam@cock.li

In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me.
We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files.
After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it We can decrypt few files in quality the evidence that we have the decoder.

——–

MOST IMPORTANT!!!

Do not contact other services that promise to decrypt your files, this is fraud on their part!

They will buy a decoder from us, and you will pay more for his services.

No one, except badbeeteam@mail.ee (badbeeteam@cock.li), will decrypt your files.

——–

Only badbeeteam@mail.ee (badbeeteam@cock.li) can decrypt your files
Do not trust anyone besides badbeeteam@mail.ee (badbeeteam@cock.li)
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user’s unique encryption key

Like we already said above, paying may not be the best idea because it does not guarantee that files will be decrypted. Many users in the past have paid ransomware operators but were either sent faulty decryptors or not sent one at all.

How does ransomware enter a computer?

Many users are likely already familiar with how ransomware enters a computer. Users who don’t have particularly good browsing habits usually end up picking up some kind of malware infection. Those bad habits include opening spam email attachments, clicking on weird links and ads, downloading torrents and software cracks.

Spam emails is often the cause behind a ransomware infections. Users open an email attachment without double checking the email itself, and end up initiating the ransomware. Though in many cases, spam emails are pretty obvious. They contain a lot of grammar and spelling mistakes, are sent from random/weird email addresses, use generic greetings like “Dear User/Member/Customer” and put pressure on users to open the attachment. So if users carefully check unsolicited emails, they should be able to spot the malicious ones with little issue. However, because malicious emails can be more sophisticated, it’s a good idea to scan all unsolicited email attachments with anti-virus software or VirusTotal.

Malware can also often be encountered on torrent sites and forums. Those sites are often unregulated, which allows malware distributors to easily include malware in a torrent for a popular TV series, movie, game, software, etc.

CRPTD ransomware removal

Users have to use anti-malware software to delete CRPTD ransomware, as that is the safest way. Unless they are absolutely sure of what they’re doing, they shouldn’t attempt manual CRPTD ransomware removal as that may do even more damage. Loads of anti-malware programs detect and remove CRPTD ransomware, so there shouldn’t be any issues with that.

CRPTD ransomware is detected as:

  • HEUR:Trojan.Win32.DelShad.gen by Kaspersky
  • Ransom:Win32/Genasom by Microsoft
  • ML.Attribute.HighConfidence by Symantec
  • A Variant Of Win32/Filecoder.ODO by ESET
  • Trojan.GenericKD.43881417 by BitDefender
  • FileRepMalware by AVG
  • Trojan.GenericKD.43881417 (B) by Emsisoft