CryptFile2 Ransomware

What is CryptFile2 Ransomware?

CryptFile2 Ransomware is the newest version of a malicious program by the same title. Unlike the previous variant that was spread with Neutrino Exploit Kit, this one should be distributed with infected email attachments. Our researchers at Anti-spyware-101.com also find out that the threat is mostly spread in the United States, although users from other countries can infect their system too. Further in the article, we will explain more about how this malicious application manages to enter users’ computers and how it works on the system. If you want to learn these details, you should keep reading the article. However, if you want to get rid of the malware as soon as possible, you could slide below the text and use the available deletion instructions.

Where does CryptFile2 Ransomware come from?

Apparently, the malicious program was and might still be distributed through a large Spam email campaign, during which lots of infected files were sent not only to random people, but also governments, education institutes, insurance companies, and other institutions in the United Sates. What’s more, the infection’s creators made the attachments that contain CryptFile2 Ransomware look like Microsoft Word documents. To make it seem even less harmless and more tempting, the attached files were named as AmericanAirlines discount, Bonus from AmericanAirlines, etc.

How does CryptFile2 Ransomware work?

Immediately after the user launches an infected file, CryptFile2 Ransomware makes copies of itself in the %APPDATA% folder. Then, it creates a couple of registry entries in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce directories. These Registry entries are added so that the malicious program could launch a file with the ransom note each time you restart the computer. This document is called HELP_DECRYPT_YOUR_FILES.TXT.

Nonetheless, before the ransom note appears, the malware locks user’s data with the RSA-2048 encryption algorithm. During the process, each encrypted file receives a rather long additional extension, e.g. document.doc.id_b2377035rqls3s4_email_enc3@dr.com_.scl", the pattern: ".id_[personalid]_[ransomemail].scl. The infection targets a wide range of different file types, so it might do a lot of damage to the user. After the encryption, it drops the mentioned file with a ransom note and makes copies of it in almost each and every folder on the computer. The message within is meant to scare users and convince them to pay the demanded ransom. In exchange, CryptFile2 Ransomware’s creators promise to help users decrypt their data. Before you make a rash decision, consider a possibility that no matter how assuring they might sound, you may never receive the decryptor and waste the transferred money. Thus, we advise you not to take any chances and eliminate the treat instead.

How to remove CryptFile2 Ransomware?

As we mentioned earlier, the malicious application should place its files on the system, so to erase it manually you would have to locate and delete this data. To make it easier for you, our researchers prepared removal instructions, and if you scroll down, you should notice them immediately. Naturally, the instructions may seem too complicated for less experienced users, or some of you might want to clean more threats from the system. In that case, it would be best to install a legitimate antimalware tool. With its scanning tool you can check the whole computer, and if there are other suspicious software besides CryptFile2 Ransomware, you would be able to delete it together with one mouse click.

Erase CryptFile2 Ransomware

1. Open the Explorer by pressing Windows Key+E.
2. Insert the following location and click Enter: %APPDATA%
3. Look for a malicious file with a random name (its title may include your unique ID number), right-click it and select Delete.
4. Press Windows Key+R, type Regedit and click OK.
5. Navigate to these directories separately:
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
6. Look for value names called SecurityFlashPlayersHardWare and SecurityFlashPlayers32 (their value data should contain this line Str: “Path to malicious file”).
7. Right-click these value names one by one and click Delete.
8. Erase the ransom notes from all directories.
9. Empty the Recycle bin.

Download Removal Tool100% FREE spyware scan and
tested removal of CryptFile2 Ransomware*