Crypt6 Ransomware

Posted by Sarah Stewart on August 31, 2018

What is Crypt6 Ransomware?

Crypt6 Ransomware is a malicious program that can encrypt various user’s files and then show a warning claiming the user has to pay for decryption. Since the ransom note is in French and the infection does not provide a means to translate it, we believe the threat’s creators could be targeting users who speak the French language only. This might mean the malware may not be distributed widely. In any case, if you did encounter it, we would recommend reading our full report to get to know Crypt6 Ransomware better. Further in the text, we will talk about its possible distribution channels, working manner, and ways it could be erased from the system. More than that, if you slide a bit below the article, you will find deletion instructions explaining how to eliminate this infection manually step by step.

Where does Crypt6 Ransomware come from?

Our researchers at Anti-spyware-101.com suspect Crypt6 Ransomware could be distributed through malicious Spam emails. It means the user himself might infect the system without even realizing it by clicking suspicious links or opening questionable files received via email. Thus, it seems to us it would be a good idea to stay away from content sent via email if you did not expect to receive it or if it looks suspicious somehow, for example, the sender's address could appear to be forged. Plus, we believe users should try to secure the system as best as possible. What we have in mind, it would be smart to keep all software up to date to get rid of potential vulnerabilities, download programs only from reliable sources, and keep a legitimate antimalware tool that could protect the system in case of an emergency.

How does Crypt6 Ransomware work?

Our researchers report the malware is supposed to work like JobCrypter Ransomware; it is a threat that was created by the same hackers a while ago. Back then the mentioned malicious program settled in by creating an executable file called locker.exe in the %APPDATA% and a few Registry entries we will list in the removal instructions below the text. This time the newly created version might create a file called ch.exe in the same directory. At least it is what our tested sample did. Unfortunately, it did not work correctly, so as for some details we can only guess how it should act based on its previous version. For example, just like its older clone, Crypt6 Ransomware might be able to encrypt a lot of different file types, such as photos, videos, archives, documents and so on.

Another thing we should mention is the infection should show a window with a ransom note soon after it finishes encrypting the victim’s files. The text written in French should demand the user pays a ransom or he will never be able to open his data again. It might look like you have no choice, but we would highly recommend not to pay any money. A lot of things could go wrong, and if you do not wish to gamble with your savings, it would be wiser to pay no attention to the ransom note.

How to remove Crypt6 Ransomware?

There are a couple of ways to remove Crypt6 Ransomware from your computer. First of all, users could try completing the steps located at the end of this article. They will explain how to eliminate the threat manually. The other way to ensure the malicious program gets to be deleted is to scan the system with a legitimate antimalware tool and then press the provided removal button to erase all detections.

Get rid of Crypt6 Ransomware

  1. Tap Ctrl+Alt+Delete.
  2. Launch Task Manager.
  3. Look for the threat’s process.
  4. Select the malicious process and press End Task.
  5. Leave the Task Manager.
  6. Click Windows key+E.
  7. Find these folders:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  8. Find the malware’s launcher, then right-click it and press Delete.
  9. Go to %APPDATA%
  10. Find a file named ch.exe or similarly; right-click it and press Delete.
  11. Exit File Explorer.
  12. Press Windows key+R.
  13. Insert Regedit and press Enter.
  14. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  15. Search for a value name with value data that would lead to the malicious executable file you just erased.
  16. Right-click the mentioned value name and press Delete.
  17. Search for these locations:
    HKCR\Applications
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  18. Check if there are any keys belonging to the malware, right-click them and select Delete.
  19. Close Registry Editor.
  20. Empty your Recycle bin.
  21. Restart the system. 100% FREE spyware scan and
    tested removal of Crypt6 Ransomware*
Disclaimer
Disclaimer
Threats

Leave a Comment

Enter the numbers in the box to the right *