Microsoft Decryptor Ransomware

Posted by Max Lehmann on July 12, 2016

What is Microsoft Decryptor Ransomware?

Microsoft Decryptor Ransomware is the newest iteration of CryptXXX Ransomware. Therefore, it is extremely dangerous, and it has to be removed as soon as possible. Testing has shown that this ransomware has been designed to enter your computer using a covert method, encrypt all files on it and demand you to pay a random to get them back. You may be in favor of paying the ransom if you have valuable files, but we warn you that you the cyber crooks might not give you the decryption key needed to decrypt the files. Read this description to find out more about it and see below this description if you want a manual step-by-step removal guide.testtesttest

Where does Microsoft Decryptor Ransomware come from?

As mentioned, this ransomware is the newest iteration of CryptXXX Ransomware, which has been released in March of 2016. Since then this ransomware has been the basis of new ransomware-type infections that where probably developed by the same cyber crooks. UltraCrypter Ransomware, first seen in June of 2016, is also based on CryptXXX Ransomware. It has more clones but without going into too much detail, it is evident that it comes from an experienced developer dedicated to making quality infections that are capable of causing major damage to your system.

Microsoft Decryptor Ransomware and other ransomware that belongs to this family do not rely on executable (.exe) files to run. Its developers utilize Dynamic Lin Library (.dll) files to make it work. Therefore, our malware analysts have ruled out the possibility of it being distributed using email spam because you cannot launch a .dll file by double-clicking it. Researchers say that it is being distributed using the Angler Exploit Kit. This exploit kit is embedded into legitimate websites by hacking them and injecting malicious HTML or JavaScript into their content. Your computer can become infected with this ransomware without your intervention. To prevent such infections, you should protect your computer with an antimalware program.

How does Microsoft Decryptor Ransomware work?

Research has shown that it has one .dll file, but newer versions might have more than one. The sample tested by our malware researchers dropped the .dll file to a created CLSID folder that was named {C3F31E62-344D-4056-BF01-BF77B94E0254}. Take note that the name can be different with each case. The name of the dropped file was api-ms-win-system-softpub-l1-1-0.dll. Testing has shown that this file is launched by utilizing rundll32.exe found in %WINDIR%\SysWOW64 or %WINDIR%\System32. However, this ransomware creates a copy of rundll32.exe named svchost.exe that is placed in {C3F31E62-344D-4056-BF01-BF77B94E0254}. Now that we have briefly overviewed its infection process let us take a look at what it does next.

After a successful infection, Microsoft Decryptor Ransomware hibernates from 15 to 60 minutes and then springs into action. It scans the whole computer for file formats of interest and encrypts the with the RSA-4096 encryption cipher. To date, we know of no third-party decryption tool that could crack this ransomware’s encryption. Therefore, the only way to get your files back is to pay the ransom. However, we want to stress that you may never receive it, so think carefully whether your files are worth the money. Also, the cyber crooks have built in a timer, and when the time runs out, the ransom is set to increase. If you miss the deadline, then you will have to pay up to 2.4 BTC (654 USD or 590 EUR.) So it demands a reasonable amount of money. Regardless, of whether it encrypted your important files, we do not recommend that you pay the ransom. Some variants of this ransomware might lock the screen, but you can bypass it by holding down Ctrl+Alt+Delete keys and restarting your computer. After your system boots up again, the lock screen should not appear.

How do I remove Microsoft Decryptor Ransomware?

If you have decided to get rid of this ransomware, then you are in luck because our malware researchers have made a guide that will help you delete its files. Alternatively, you can use our featured program SpyHunter because it is more than capable of eradicating Microsoft Decryptor Ransomware and keeping your PC safe from similar infections in the future. However, you have to keep in mind that your files will remain encrypted after you have this infection has been neutralized.

Manual Removal Guide

  1. Hold down Windows+E keys.
  2. In the File Explorer’s address box, enter %TEMP%
  3. Locate the randomly named CLSID folder (e.g. {C3F31E62-344D-4056-BF01-BF77B94E0254})
  4. Locate the malicious .dll file (e. g. api-ms-win-system-softpub-l1-1-0.dll)
  5. Right-click the .dll file and click Delete.
  6. The, go to the following locations and deletethe randomly named additional files.
    • %ALLUSERSPROFILE%\[Unique ID].bmp
    • %ALLUSERSPROFILE%\[Unique ID].html
    • %USERPROFILE%\Desktop\[Unique ID].bmp
    • %USERPROFILE%\Desktop\[Unique ID].html
    • %USERPROFILE%\Desktop\[Unique ID].txt
  7. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Microsoft Decryptor Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *