Crptxxx Ransomware Removal Guide

Do you know what Crptxxx Ransomware is?

Crptxxx Ransomware is a newly-discovered malicious application whose entrance on your system would mean that you could no longer open a bunch of files, including pictures, documents, movies, etc. Specialists say that this infection might be a previous version of Btcware Ransomware, so it should not be spreading actively these days. Of course, theoretically, it might still be waiting for users on dubious third-party web pages or arrive inside spam emails, so users should not be so sure that they will never encounter it. Most probably, you are reading this article because you have become a victim of this ransomware-type infection. There are hundreds of file-encrypting threats out there on the web, for example, Final Ransomware, Krpto64 Ransomware, and Angleware Ransomware, but there is no doubt that the one inside your system is Crptxxx Ransomware if those files you cannot access have received a new filename extension .crptxxx (it should be placed next to the original extension: picture.jpg.crptxxx). These files have not been ruined just for fun. Without a doubt, this infection has shown up on your computer with the intention of obtaining money from you. No matter how badly you need to get your files back, you should not go to transfer money to anyone because this does not guarantee that you could restore your files.

It does not really matter whether you encounter the version of Crptxxx Ransomware which drops HOW_TO_DECRYPT.txt on computers or places HOW_TO_FIX_!.txt on them because both of them find valuable files stored on the computer and then encrypt them all. Those encrypted files receive a new filename extension .crptxxx, as you already know, which means that they have been encrypted using the AES encryption algorithm, as a ransom note left informs users. Two different versions of Crptxxx Ransomware leave two different ransom notes, so the message users see depends on the version encountered. Even though these notes slightly differ from each other, they both contain instructions on how to get files back. In both cases, users are told to download the Tor browser and then open the indicated website. Most likely, users will then be asked to pay a ransom to get the decryption key. Do not do that even if it turns out that it is the only way to unlock the encrypted data because you might get nothing in return. In this case, your money will not be returned to you either. The only thing you can do to recover files for free is to use a backup because Shadow Volume Copies of files are deleted by Crptxxx Ransomware too after the data encryption. This means that free third-party data recovery software will not work. If a backup has been encrypted too or you simply have never created it, do not hurry to delete those files with .crptxxx extensions because it might be possible to unlock them all in the future.

You already know how Crptxxx Ransomware works, but you definitely cannot say that you know everything about it unless you find out how this ransomware infection is distributed. In fact, the method used to spread it has not surprised our team of specialists at all because it uses the same method similar ransomware infections employ to show up on users’ computers unnoticed. This is, it is spread via spam emails masqueraded as decent email attachments, e.g. important documents. Sadly, there are hundreds of gullible computer users who open these attachments. They immediately allow Crptxxx Ransomware to enter their systems by doing that. Keep in mind that it is not the only existing ransomware-type infection, so if you keep opening attachments from all emails you get, you will sooner or later find our files encrypted again.

You cannot unlock your files by removing Crptxxx Ransomware, but you still must erase it as soon as possible because this infection creates a Value in the Run registry key, which means that it will continue working on the system even after the system restart. This means that it might strike again and encrypt new files. We are sure that you do not want this to happen, so you should put some effort into its deletion.

Remove Crptxxx Ransomware manually

  1. Launch Run (press Win+R).
  2. Type regedit.exe and click OK to open the Registry Editor.
  3. Find the crptxxx Value in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Delete it.
  5. Close the Registry Editor.
  6. Open the Windows Explorer (press Win+E).
  7. Open %APPDATA% (type at the top of the page and tap Enter).
  8. Delete the mtrea.exe file from this folder.
  9. Open %USERPROFILE%\Desktop and remove either HOW_TO_FIX_!.txt or HOW_TO_DECRYPT.txt, depending on which one of them you find there.
  10. Go to these directories, find HOW_TO_FIX_!.txt or HOW_TO_DECRYPT.txt, and remove them, if you manage to find any of them:
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup

!N.B Empty the Recycle bin when you are finished.

In non-techie terms:

Crptxxx Ransomware is a computer infection which illegally enters systems; however, users realize that something is wrong soon because they find a bunch of their files encrypted and having a new extension .crptxxx. Ransomware-type infections do that to get easy money from users, but you should not be one of those users who support cyber criminals. Instead, uninstall this ransomware infection fully and make sure it does not leave any components on your PC. Do not forget to eliminate other untrustworthy applications active on your system too. You could have allowed them to enter your PC earlier, or they could have entered your system together with Crptxxx Ransomware.