CryptoRoger Ransomware Removal Guide

Do you know what CryptoRoger Ransomware is?

CryptoRoger Ransomware was first sited on June 21, 2016. This infection targets unprotected, vulnerable computer’s that cannot remove it and if it makes its way on your computer, then it will encrypt each file on it and leave a ransom note in a form of a text file that tells you what to do next to get your data back. What you need to decrypt your files is a decryption key, and the cyber criminals will give it to you only if you pay the asked sum of money. However, the chances are that they will not give you this key even if you pay. Therefore, the only viable solution is obvious — you have to remove this infection.

CryptoRoger Ransomware’s developers have opted for distributing it using email spam. It seems to send the infected emails to random addresses, but we think that it obtains the addresses from third-party websites. In any case, its emails masquerade as ordinary invoices and business-related correspondence that come with an attachment that we think should be an ordinary archive or indeed just an executable of this ransomware disguised as an image file or Word document. When opened, this infection begins encrypting the files and there is no way to stop it. It will complete this process within a matter of minutes

Research has shown that this infection does not self-extract and run automatically. It required the victims to open it manually, and once they have done that, CryptoRoger Ransomware starts encrypting the files. Our malware researchers have discovered that this ransomware uses the AES-256 encryption algorithm to encrypt the files and the RSA encryption method to encrypt the key needed to decrypt the files. So you cannot use this key and the only way you can get it is by paying the hefty ransom of 0.5 BTC (approximately 330 USD.) While encrypting, this ransomware appends the .crptrgr file extension to each file and once the encryption process in complete it will create and open a .html file named !Where_are_my_files!.html that contains the ransom note. This file is created in every folder where a file was encrypted, so you cannot miss it. The cyber criminals behind CryptoRoger Ransomware want you to contact them via a TOR messaging service called uTox to get the instructions on how to get Bitcoins and pay the ransom. So there are many things going on with this infection, but the way it works is pretty straightforward: it infects, encrypts, and demands money.CryptoRoger Ransomware Removal GuideCryptoRoger Ransomware screenshot
Scroll down for full removal instructions

When you launch its main executable from the location it was placed in; the infection does not copy itself to anywhere else on your computer. However, CryptoRoger Ransomware will create three additional files called bg.jpeg, files.txt, and keys.dat in the %APPDATA% directory. The bg.jpeg file is set as the background image; the files.txt contains information such as the paths of all encrypted files and their MD5; the keys.dat is the one encrypted with the RSA algorithm, and you are supposed to send it to the cyber criminals. Once you have paid, the ransom this infection’s creators should send you the decryption application and key. However, uTox must be running at all times for them to receive your messages and for you to receive the decryption key. So, in the end, you might not get it. Also, if you hesitate to pay, then the ransom is set to increase several times. Nevertheless, we are of the opinion that you should not comply with their demands as they might not give you the promised decryption key.

However, decrypting your files with a third-party decryption tool is not an option because such a tool does not exist yet and the chances are that it will not be developed because the unique AES and RSA encryptions are next to impossible to decrypt. Malware researchers will continue analyzing this ransomware, and if they find a design flaw that gives them access to the decryption keys, then such a tool can be developed. In the meantime, if your PC has been infected with this ransomware, we recommend that you remove its executable and delete its created files from their respective locations.

How to delete CryptoRoger Ransomware

  1. Delete this ransomware’s executable from its point of execution (location)
  2. Then, press Windows+E keys.
  3. In the File Explorer window’s address bar enter %APPDATA%.
  4. Locate and delete bg.jpeg, files.txt, and keys.dat
  5. Press Windows+R keys.
  6. Type regedit in the box and click OK.
  7. Find and delete the HKCU\Software\CryptoRoger registry key.
  8. Done.

In non-techie terms:

CryptoRoger Ransomware is a ransomware-type malware that enters unprotected computers via email spam. When launched, it encrypts all files on the computer and then demands that you pay a ransom for the decryption key to get the files back. We do not recommend that you pay the ransom because it is likely that you will not get the key. We recommend that you delete this infection using SpyHunder- our featured anti-malware program.