Last updated on March 19th, 2014
Cryptorbit virus is another nasty ransomware software and acts as the Cryptolocker virus. More specifically when it infects your computer, it encrypts all the files in it. The bad news with these viruses is that, once they infect your computer, they encrypt critical files with strong encryption and it is practically impossible to decrypt them.
Specifically after the infection, the Cryptorbit Ransomware informs the user that “All files including videos, photos and documents on user’s computer are encrypted” and in order to decrypt them, then the user must make a payment (of 500$ or 600$) in BitCoins, by following a specific procedure using Tor Internet Browser.
The full Cryptorbit (HOWDECRYPT) information message is as follows:
All files including videos, photos and documents on your computer are encrypted.
Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.
In order to decrypt the files, open site 4sfxctgp53imlvzk.onion.to/index.php and follow the instructions.
If 4sfxctgp53imlvzk.onion.to/index.php is not opening, please follow the steps below:
1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion/index.php
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Your Personal CODE: 00000001-ED28BBCA”
The Cryptorbit is not a virus, but a malware software and it probably infects your computer when you open an email attachment from a legitimate sender that seems innocent or from your network shares or from an external USB drive that was plugged on your computer.
Once Cryptorbit infects your computer, actually it starts to encrypt all files on your computer and then it sends the decryption key – known as “Cryptorbit Key” – to an online server. During Cryptorbit infection the malicious program also creates 3 files (HOWDECRYPT.GIF, HOWDECRYPT.HTML, HOWDECRYPT.TXT) on every folder that it encrypts its contents with instructions for payment and decrypting.
Cryptorbit (HowDecrypt) virus, actually doesn’t encrypt the whole file but only the first 512 bytes of the file header. After the encryption, it takes the encrypted 512 bytes and stores them at the end of the file header. As a result, the file becomes corrupted and appears unrecognizable to the system so you cannot open or access it anymore.
From our research on several sites, we can inform our readers that in some cases, the files remain encrypted, despite the fact that the user makes the payment. So make this decision (to pay to unlock your files) at your own risk. The other choice is to remove Cryptorbit infection from your computer, but in this case, you must realize that your files will remain encrypted, even if you disinfect your computer from this nasty malware. If you take this decision (to disinfect your computer) then you have the following options to get your files back:
Option 1. If you own Windows 7 or later operating system and the System Restore feature was enabled on your computer then you can try to restore your files from shadow copies by using Windows' “Restore previous versions” (Shadow Copies) feature found at the latest operating systems.
Option 2. If System Restore was disabled on your computer (e.g after a virus attack) and you have not another clean backup copy of your files in another place (e.g. on “External Unplugged Hard disk”), then, thanks to Nathan Scott (nickname: DecrypterFixer, a Bleeping’sComputer member), you can try the “Anti-CryptorBit” utility to decrypt (fix) your encrypted (corrupted) files for common type formats like: JPG, PST, MP3, PDF, .DOC, .XLS, .XLSX, .PPTX, .and DOCX.
ONCE MORE: DO NOT CONTINUE TO REMOVE CRYPTORBIT VIRUS UNLESS:
YOU HAVE A CLEAN BACKUP COPY OF YOUR FILES STORED IN A DIFFERENT PLACE (like an unplugged portable hard disk)
YOU DON”T NEED THE ENCRYPTED FILES BECAUSE THEY ARE NOT SO IMPORTANT TO YOU.
So, if you have taken your final decision, then proceed first to remove CryptorBit Ransomware infection from your computer and then try to restore your files by following the steps below:
How to get rid of CryptorBit RansomWare & Restore CryptorBit Encrypted files.
CryptorBit (HOWDECRYPT) RansomWare Removal Guide
Step 1: Start your computer in “Safe Mode with Networking”
To do this,
1. Shut down your computer.
2. Start up your computer (Power On) and, as your computer is booting up, press the "F8" key before the Windows logo appears.
3. Using your keyboard arrows select the "Safe Mode with Networking" option and press "Enter".
Step 2. Stop and clean malicious running processes.
1. Download and save "RogueKiller" utility on your computer'* (e.g. your Desktop).
Notice*: Download version x86 or X64 according to your operating system's version. To find your operating system's version, "Right Click" on your computer icon, choose "Properties" and look at "System Type" section.
2. Double Click to run RogueKiller.
3. Let the prescan to complete and then press on "Scan" button to perform a full scan.
3. When the full scan is completed, press the "Delete" button to remove all malicious items found.
4. Close RogueKiller and proceed to the next Step.
Step 3. Clean your computer from remaining malicious threats.
Download and install one of the most reliable FREE anti malware programs today to clean your computer from remaining malicious threats. If you want to stay constantly protected from malware threats, existing and future ones, we recommend that you install Malwarebytes Anti-Malware PRO:
1. Run "Malwarebytes Anti-Malware" and allow the program to update to its latest version and malicious database if needed.
2. When the "Malwarebytes Anti-Malware" main window appears on your screen, choose the "Perform quick scan" option and then press "Scan" button and let the program scan your system for threats.
3. When the scanning is completed, press “OK” to close the information message and then press the "Show results" button to view and remove the malicious threats found.
4. At the "Show Results" window check – using your mouse's left button- all the infected objects and then choose the "Remove Selected" option and let the program remove the selected threats.
5. When the removal of infected objects process is complete, "Restart your system to remove all active threats properly".
6. Continue to the next step.
Step 4. Restore your files after Cryptorbit infection
Option 1. Restore CryptorBit encrypted files from Shadow Copies.
After you have disinfected your computer from Cryptorbit virus, then it is time to try to restore your files back to their state prior to the infection. For these methods, we use the Shadow Copy feature which is working excellent at the latest operating systems (Windows 8, 7 & Vista)
Method 1: Restore Cryptorbit encrypted (corrupted) files using Windows “Restore Previous versions” feature.
How to restore Cryptorbit encrypted files using Windows “Restore Previous versions” feature:
1. Navigate to the folder or the file that you want to restore in a previous state and right-click on it.
2. From the drop-down menu select “Restore Previous Versions”. *
3. Then choose a particular version of folder or file and then press the:
- “Open” button to view the contents of that folder/file.
- “Copy” to copy this folder/file to another location on your computer (e.g. you external hard drive).
- “Restore” to restore the folder file to the same location and replace the existing one.
How to restore Cryptorbit corrupted (encrypted) files using “Shadow Explorer” utility.
ShadowExplorer, is a free replacement for the Previous Versions feature of Microsoft Windows Vista/ 7 / 8. You can restore lost or damaged files from Shadow Copies.
2. Run ShadowExplorer utility and then select the date that you want to restore the shadow copy of your folder/files.
3. Now navigate to the folder/file that you want to restore its previous version, right-click on it and select “Export”.
4. Finally specify where the shadow copy of your folder/file will be exported/saved (e.g. your Desktop) and press “OK”.
Option 2. Restore CryptorBit encrypted files using Anti-CryptorBit utility.
How to Decrypt (fix) Cryptorbit encrypted (corrupted) files using “Anti-CryptorBit” utility.
1. Download “Anti-CryptorBit” utility to your computer (e.g. your Desktop)
2. When download is completed, navigate to your Desktop and “Extract” the “Anti-CryptorBitV2.zip” file.
3. Now double-click to run the Anti-CryptorBitv2 utility.
4. Choose what type of files you want to recover. (e.g. “JPG”)
5. Finally choose the folder that contains the corrupted/encrypted (JPG) files & then press the “Start” button to to fix them.