How to Remove Cryptorbit (HOWDECRYPT) virus and Restore your files
Cryptorbit virus is another nasty ransomware software and acts as the Cryptolocker virus. More specifically when it infects your computer, it encrypts all the files in it. The bad news with these viruses is that, once they infect your computer, they encrypt critical files with strong encryption and it is practically impossible to decrypt them.
Specifically after the infection, the Cryptorbit Ransomware informs the user that “All files including videos, photos and documents on user’s computer are encrypted” and in order to decrypt them, then the user must make a payment (of 500$ or 600$) in BitCoins, by following a specific procedure using Tor Internet Browser.
The full Cryptorbit (HOWDECRYPT) information message is as follows:
“Cryptorbit
All files including videos, photos and documents on your computer are encrypted.
Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.
In order to decrypt the files, open site 4sfxctgp53imlvzk.onion.to/index.php and follow the instructions.
If 4sfxctgp53imlvzk.onion.to/index.php is not opening, please follow the steps below:
1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion/index.php
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
IMPORTANT INFORMATION:
Your Personal CODE: 00000001-ED28BBCA”
The Cryptorbit is not a virus, but a malware software and it probably infects your computer when you open an email attachment from a legitimate sender that seems innocent or from your network shares or from an external USB drive that was plugged on your computer.
Once Cryptorbit infects your computer, actually it starts to encrypt all files on your computer and then it sends the decryption key – known as “Cryptorbit Key” – to an online server. During Cryptorbit infection the malicious program also creates 3 files (HOWDECRYPT.GIF, HOWDECRYPT.HTML, HOWDECRYPT.TXT) on every folder that it encrypts its contents with instructions for payment and decrypting.
Cryptorbit (HowDecrypt) virus, actually doesn’t encrypt the whole file but only the first 512 bytes of the file header. After the encryption, it takes the encrypted 512 bytes and stores them at the end of the file header. As a result, the file becomes corrupted and appears unrecognizable to the system so you cannot open or access it anymore.
From our research on several sites, we can inform our readers that in some cases, the files remain encrypted, despite the fact that the user makes the payment. So make this decision (to pay to unlock your files) at your own risk. The other choice is to remove Cryptorbit infection from your computer, but in this case, you must realize that your files will remain encrypted, even if you disinfect your computer from this nasty malware. If you take this decision (to disinfect your computer) then you have the following options to get your files back:
Option 1. If you own Windows 7 or later operating system and the System Restore feature was enabled on your computer then you can try to restore your files from shadow copies by using Windows' “Restore previous versions” (Shadow Copies) feature found at the latest operating systems.
Option 2. If System Restore was disabled on your computer (e.g after a virus attack) and you have not another clean backup copy of your files in another place (e.g. on “External Unplugged Hard disk”), then, thanks to Nathan Scott (nickname: DecrypterFixer, a Bleeping’sComputer member), you can try the “Anti-CryptorBit” utility to decrypt (fix) your encrypted (corrupted) files for common type formats like: JPG, PST, MP3, PDF, .DOC, .XLS, .XLSX, .PPTX, .and DOCX.
ONCE MORE: DO NOT CONTINUE TO REMOVE CRYPTORBIT VIRUS UNLESS:
YOU HAVE A CLEAN BACKUP COPY OF YOUR FILES STORED IN A DIFFERENT PLACE (like an unplugged portable hard disk)
or
YOU DON”T NEED THE ENCRYPTED FILES BECAUSE THEY ARE NOT SO IMPORTANT TO YOU.
or
YOU WANT TO GIVE IT A TRY TO RESTORE YOUR FILES USING SHADOW COPIES FEATURE (Step 4: Option-1) OR BY USING THE ANTI-CRYPTORBIT UTILITY (Step 4: Option-2).
So, if you have taken your final decision, then proceed first to remove CryptorBit Ransomware infection from your computer and then try to restore your files by following the steps below:
How to get rid of CryptorBit RansomWare & Restore CryptorBit Encrypted files.
CryptorBit (HOWDECRYPT) RansomWare Removal Guide
Step 1: Start your computer in “Safe Mode with Networking”
To do this,
1. Shut down your computer.
2. Start up your computer (Power On) and, as your computer is booting up, press the "F8" key before the Windows logo appears.
3. Using your keyboard arrows select the "Safe Mode with Networking" option and press "Enter".
Step 2. Stop and clean malicious running processes.
1. Download and save "RogueKiller" utility on your computer'* (e.g. your Desktop).
Notice*: Download version x86 or X64 according to your operating system's version. To find your operating system's version, "Right Click" on your computer icon, choose "Properties" and look at "System Type" section.
2. Double Click to run RogueKiller.
3. Let the prescan to complete and then press on "Scan" button to perform a full scan.
3. When the full scan is completed, press the "Delete" button to remove all malicious items found.
4. Close RogueKiller and proceed to the next Step.
Step 3. Clean your computer from remaining malicious threats.
Download and install one of the most reliable FREE anti malware programs today to clean your computer from remaining malicious threats. If you want to stay constantly protected from malware threats, existing and future ones, we recommend that you install Malwarebytes Anti-Malware PRO:
Malwarebytes™ Protection
Removes Spyware, Adware & Malware.
Start Your Free Download Now!
1. Run "Malwarebytes Anti-Malware" and allow the program to update to its latest version and malicious database if needed.
2. When the "Malwarebytes Anti-Malware" main window appears on your screen, choose the "Perform quick scan" option and then press "Scan" button and let the program scan your system for threats.
3. When the scanning is completed, press “OK” to close the information message and then press the "Show results" button to view and remove the malicious threats found.
4. At the "Show Results" window check – using your mouse's left button- all the infected objects and then choose the "Remove Selected" option and let the program remove the selected threats.
5. When the removal of infected objects process is complete, "Restart your system to remove all active threats properly".
6. Continue to the next step.
Step 4. Restore your files after Cryptorbit infection
Option 1. Restore CryptorBit encrypted files from Shadow Copies.
After you have disinfected your computer from Cryptorbit virus, then it is time to try to restore your files back to their state prior to the infection. For these methods, we use the Shadow Copy feature which is working excellent at the latest operating systems (Windows 8, 7 & Vista)
Method 1: Restore Cryptorbit encrypted files using Windows “Restore Previous versions” feature.
Method 2: Restore Cryptorbit encrypted files using Shadow Explorer.
Method 1: Restore Cryptorbit encrypted (corrupted) files using Windows “Restore Previous versions” feature.
How to restore Cryptorbit encrypted files using Windows “Restore Previous versions” feature:
1. Navigate to the folder or the file that you want to restore in a previous state and right-click on it.
2. From the drop-down menu select “Restore Previous Versions”. *
3. Then choose a particular version of folder or file and then press the:
- “Open” button to view the contents of that folder/file.
- “Copy” to copy this folder/file to another location on your computer (e.g. you external hard drive).
- “Restore” to restore the folder file to the same location and replace the existing one.
Method 2: Restore Cryptorbit encrypted (corrupted) files using Shadow Explorer.
How to restore Cryptorbit corrupted (encrypted) files using “Shadow Explorer” utility.
ShadowExplorer, is a free replacement for the Previous Versions feature of Microsoft Windows Vista/ 7 / 8. You can restore lost or damaged files from Shadow Copies.
1. Download ShadowExplorer utility from here. (You can either download the ShadowExplorer installer or the Portable version of the program).
2. Run ShadowExplorer utility and then select the date that you want to restore the shadow copy of your folder/files.
3. Now navigate to the folder/file that you want to restore its previous version, right-click on it and select “Export”.
4. Finally specify where the shadow copy of your folder/file will be exported/saved (e.g. your Desktop) and press “OK”.
Option 2. Restore CryptorBit encrypted files using Anti-CryptorBit utility.
How to Decrypt (fix) Cryptorbit encrypted (corrupted) files using “Anti-CryptorBit” utility.
1. Download “Anti-CryptorBit” utility to your computer (e.g. your Desktop)
2. When download is completed, navigate to your Desktop and “Extract” the “Anti-CryptorBitV2.zip” file.
3. Now double-click to run the Anti-CryptorBitv2 utility.
4. Choose what type of files you want to recover. (e.g. “JPG”)
5. Finally choose the folder that contains the corrupted/encrypted (JPG) files & then press the “Start” button to to fix them.
That’s it.
We're hiring
We're looking for part-time or full-time technical writers to join our team! It's about a remote position that qualified tech writers from anywhere in the world can apply. Click here for more details.
- FIX: Windows Security Not Working in Windows 11. - March 28, 2024
- Fix 'Device Manager is Blocked by Administrator'. (Solved) - March 26, 2024
- How to Run a Program as Different user in Windows 11/10. - March 21, 2024
Johan
December 13, 2016 @ 2:40 pm
Instructions work well until step 4. After installing Anti-CryptorBit v2 I can start the application and select files or folders to decrypt. However, the program does nothing. No fixes, no messages, no nothing!
Lorrie Pallant
August 11, 2016 @ 2:31 am
Absolutely composed written content.
HIMANSHU
June 3, 2016 @ 6:48 pm
Sir. My computer infected my ransomeware RZA4096 strong encryption and all files encrypted in computer. So please give any solution
lakonst
June 3, 2016 @ 6:52 pm
@HIMANSHU: Read this article for possible solutions to your problem: How to decrypt or get back encrypted files infected by known encrypting ransomware viruses.
Nav
August 4, 2016 @ 10:37 am
Hi Himanshu,
were you able to decrypt the files? I am into same situation and need help urgently
rozario
October 12, 2014 @ 3:37 pm
All these options work,without paying in the tor browser?
or all the steps have to be done after the payment?
because i tried option 2 to try n restore using anti cryptobit utility and nothing worked out!
kindly reply…
lakonst
October 13, 2014 @ 7:39 am
These steps, are without payment. But aren't always effective. As I wrote in the post "ONCE MORE: DO NOT CONTINUE TO REMOVE CRYPTORBIT VIRUS UNLESS:
YOU HAVE A CLEAN BACKUP COPY OF YOUR FILES STORED IN A DIFFERENT PLACE (like an unplugged portable hard disk)
or
YOU DON”T NEED THE ENCRYPTED FILES BECAUSE THEY ARE NOT SO IMPORTANT TO YOU.
or
YOU WANT TO GIVE IT A TRY TO RESTORE YOUR FILES USING SHADOW COPIES FEATURE (Step 4: Option-1) OR BY USING THE ANTI-CRYPTORBIT UTILITY (Step 4: Option-2)."
rozario
October 13, 2014 @ 8:50 am
I dont have a clean backup..but i need the encrypted files and is VERY IMPORTANT…(is payment in tor browser safe??)tried using option-1 and option-2 but the file is still encrypted..is there any other methods to recover some of the 2-3 Ms.Office files..kindly advice..
^Thanks again for above reply
Greg
August 15, 2014 @ 12:57 am
DecrypterFixer was loaded with a Trojan. My AVG picked it up on installation.
ssssss
July 1, 2014 @ 1:16 pm
for dwg files?????
phil
June 9, 2014 @ 6:56 pm
DecrypterFixer from bleeping finally cracked CryptorBit version 1 completely. I got every one of my files back finally :) All I had to do was send him an encrypted file, and he sent me a decrypting application. Just wanted to let you guys know!
T Moore
May 23, 2014 @ 9:23 pm
It says to run this app I have to install .NET Framework V4.0.30319. Do you know where I could get this from please? Thanks
lakonst
May 24, 2014 @ 7:46 am
.NET Framework download link: http://www.microsoft.com/en-us/download/details.aspx?id=30653
elias
March 28, 2014 @ 11:39 am
the utility cannot decrypt .pdf file. is there any solution?
lakonst
March 28, 2014 @ 6:00 pm
I 'm afraid that there isn't another solution. But your can try also these utilities from Kaspersky: RectorDecryptor, XoristDecryptor, RakhniDecryptor http://support.kaspersky.com/viruses/common/10952#block3
kundamdocdac
March 28, 2014 @ 10:10 am
did you have another app for decrypt, i use this app but not work.
lakonst
March 28, 2014 @ 6:03 pm
No I haven't. Try also these decrypt utilities from KAspersky: RectorDecryptor, XoristDecryptor or RakhniDecryptor.
http://support.kaspersky.com/viruses/common/10952#block3
Jose Garcia
March 20, 2014 @ 5:52 am
excelente aporte, mis sinceras felicitaciones!!!