The Cryptomix or Ransom.CryptoMix is a variant of crypto viruses also known as ransomware. It affects all current versions of Microsoft Windows operating system like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. The Cryptomix ransomware stealthily penetrates the computer with the help of spam emails and malware. It encrypts documents, photos and music which stored on the system disks. While encrypting, it renames all important files so that they have a new extension and filename.
one of the variants of Cryptomix ransom note
The Cryptomix ransomware virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files. The Cryptomix virus encrypts almost of files, including common as:
.menu, wallet, .wmf, .xlsx, .xf, .tax, .w3x, .epk, .jpe, .zw, .kdb, .y, .cer, .vpp_pc, .docm, .odc, .p12, .bsa, .gho, .p7b, .zip, .xlsm, .wgz, .esm, .wpd, .ods, .sav, .zabw, .webdoc, .wma, .fos, .eps, .ws, .0, .lvl, .kf, .odm, .odb, .dba, .wpb, .gdb, .mdbackup, .wot, .cr2, .wbz, .sr2, .xmmap, .big, .ff, .wbc, .x3d, .blob, .wp7, .vfs0, .z, .zip, .mlx, .wpw, .hkx, .py, .xxx, .ppt, .xls, .wp4, .pdf, .ncf, .pdd, .qic, .mp4, .rb, .cdr, .srf, .dbf, .bik, .pef, .xll, .m4a, .wsd, .rtf, .rar, .wmv, .erf, .jpeg, .indd, .m3u, .sid, .accdb, .wpd, .wp, .desc, .srw, .arw, .docx, .sum, .1, .wps, .pfx, .x3f, .pptx, .dazip, .itdb, .x, .raf, .vdf, .ntl, .hplg, .sie, .ybk, .3fr, .qdf, .dng, .fsh, .mef, .r3d, .crt, .zdc, .vcf, .bay, .upk, .apk, .jpg, .xdb, .slm, .xlsm, .layout, .wmd, .wm, .cfr, .kdc, .t13, .doc, .wotreplay, .mdb, .sidn, .mdf, .d3dbsp, .wcf, .re4, .wbd, .csv, .das, .dwg, .wbm, .rim, .ltx, .wpe, .db0, .nrw, .wpl, .xls, .itl, .zdb, .zi, .sb, .yml, .xlk, .wbk, .zif, .crw, .raw, .wav, .yal, .xld, .arch00, .xmind, .icxs, .mov, .wp6, .wbmp, .js, .pptm, .forge, .svg, .dxg, .xml, .litemod, .sidd, .lrf, .1st, .wsc, .snx, .webp, .psd, .rgss3a, .wps, .xyw, .wmo, .orf, .ibank, .mcmeta, .wri, .z3d, .p7c, .tor, .itm, .dmp, .bar, .xar, .pem, .xyp, .sis, .cas, .t12, .odt, .7z, .rw2, .psk, .avi, .dcr, .txt, .m2, .3ds, .png, .sql, .wn, .ysp, .ztmp, .ai, .map, .wpt, .wp5, .x3f, .asset, .3dm, .xx, .css, .wpg, .mpqge, .wmv, .xdl, .hvpl, .bkp, .pst, .bc6, .wma, .der, .mrwref, .rofl, .pkpass, .wsh, .mddata, .iwd, .2bp, .syncdb, .xlsx, .wpa, .xpm, .wire, .rwl, .xlgc, .xlsb, .wdp, .vtf, .ptx, .bkf, .xbdoc, .hkdb, .fpk, .wb2, .pak, .xy3, .xwp, .flv, .vpk, .lbf, .xbplate, .wdb, .iwi, .bc7
Once a file is encrypted, its filename changed and extension replaced to new one. For example, a file named sample.jpg would be encrypted and renamed to something like C9BA1471A2D9A12C3FA6C4BCA8C6BA14.MOLE.
The Cryptomix ransomware uses the following extensions:
.AZER, .MOLE, .rmd, .CK, .mole00, .rscl, .CNC, .mole02, .scl, .code, .mole03, .SHARK, .SYSTEM, .CRYPTOSHIELD, .NOOB, .WALLET, MOLE66, .ERROR, .OGONIA, EMPTY, .x1881, .EXTE, .PIRATE, .ZAYKA, .lesli, .rdmk, .ZERO.
The Cryptomix ransomware virus drops a file that is a ransom note. This file contain an information on how to decrypt all encrypted data. The Cryptomix ransomware uses the following ransom note files:
- _HELP_INSTRUCTION.TXT
- HELP_YOUR_FILES.HTML
- HELP_YOUR_FILES.TXT
- INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT
Below we give some examples of such ransom notes:
Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
shark01@msgden.com
shark02@techmail.info
shark003@protonmail.com
We will help You as soon as possible!
Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
systemwall@keemail.me
systemwall@protonmail.com
systemwall@yandex.com
systemwall1@yandex.com
Please send email to all email addresses! We will help You as soon as possible!
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!
The ransomnote encourages victim to contact Cryptomix’s makers in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to recover your encrypted files for free using free utilities like ShadowExplorer and PhotoRec.
We suggest you to remove Cryptomix ransomware as quickly as possible, until the presence of the ransomware has not led to even worse consequences. You need to follow the guidance below that will allow you to completely remove Cryptomix ransomware from your PC system as well as recover encrypted files, using only few free tools.
Table of contents
- What is Cryptomix ransomware virus
- Cryptomix Decryptor
- How to decrypt files encrypted by Cryptomix
- How to remove Cryptomix virus
- How to restore files encrypted by Cryptomix
- How to prevent your PC system from becoming infected by Cryptomix virus?
- To sum up
Cryptomix Decryptor
Thanks to the Avast company and in cooperation with CERT.PL, the Cryptomix Decryptor has been developed. It allows you to decrypt files encrypted with several types of the Cryptomix ransomware. The Cryptomix Decryptor can decrypt files will have one of the following extensions:
- .CRYPTOSHIELD
- .rdmk
- .lesli
- .scl
- .code
- .rmd
- .rscl
- .MOLE
Unfortunately, the Cryptomix Decryptor can only help those victims of the Cryptomix ransomware, whose files have been encrypted in offline mode. The offline mode is when for any reason the ransomware virus can not contact the command server.
How to decrypt files encrypted by Cryptomix
In order to decrypt files encrypted by Cryptomix in offline mode please download the Cryptomix Decryptor from the Avast web-site. Use the following link:
https://files.avast.com/files/decryptor/avast_decryptor_cryptomix.exe
Run avast_decryptor_cryptomix.exe and follow the prompts.
For other cases, currently there is no available tools to decrypt files, but you have a chance to restore encrypted files for free using ShadowExplorer or Photorec.
How to remove Cryptomix virus
There are a few methods that can be used to remove Cryptomix. But, not all ransomware such as this ransomware virus can be completely removed utilizing only manual ways. Most commonly you are not able to delete any virus using standard MS Windows options. In order to get rid of Cryptomix you need use reliable removal tools. Most IT security researchers states that Zemana Anti-malware, Malwarebytes or KVRT utilities are a right choice. These free programs are able to search for and get rid of Cryptomix ransomware from your system for free.
Remove Cryptomix ransomware virus with Zemana Anti-malware
Zemana Anti-malware is a tool that can remove ransomwares, adware, potentially unwanted applications, browser hijacker infections and other malware from your machine easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of PC system resources.
Installing the Zemana is simple. First you’ll need to download Zemana AntiMalware (ZAM) on your system from the following link.
164985 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the download is finished, close all applications and windows on your system. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown on the image below, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana AntiMalware on your computer. Follow the prompts and don’t make any changes to default settings.
Once install is done successfully, Zemana will automatically start and you can see its main screen as displayed on the image below.
Now press the “Scan” button . Zemana Anti-Malware utility will begin scanning the whole personal computer to find out Cryptomix virus and other malicious software and PUPs. This task can take some time, so please be patient.
Once the system scan is finished, Zemana will produce a list of undesired and adware. When you’re ready, click “Next” button. The Zemana AntiMalware (ZAM) will get rid of Cryptomix ransomware and other kinds of potential threats like malicious software and PUPs. When that process is complete, you may be prompted to restart the PC system.
How to remove Cryptomix with Malwarebytes
We suggest using the Malwarebytes Free. You can download and install Malwarebytes to search for and remove Cryptomix ransomware virus from your PC. When installed and updated, the free malicious software remover will automatically scan and detect all threats exist on the computer.
- Download MalwareBytes Anti Malware (MBAM) on your PC system from the link below.
Malwarebytes Anti-malware
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- After downloading is done, close all applications and windows on your PC. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once installation is done, click the “Scan Now” button to begin scanning your computer for the Cryptomix ransomware virus related files, folders and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your system and the speed of your system. While the MalwareBytes Anti Malware (MBAM) tool is checking, you can see how many objects it has identified as being affected by malicious software.
- After MalwareBytes Anti Malware (MBAM) completes the scan, MalwareBytes will show a screen which contains a list of malware that has been found. Review the report and then click “Quarantine Selected”. When disinfection is finished, you can be prompted to restart your PC.
The following video offers a steps on how to remove hijackers, ad supported software and other malware with MalwareBytes Anti Malware.
Remove Cryptomix ransomware virus from PC with KVRT
The KVRT utility is free and easy to use. It may scan and delete ransomware like Cryptomix, malware, potentially unwanted applications and ‘ad supported’ software in Microsoft Edge, Internet Explorer, Mozilla Firefox and Google Chrome internet browsers and thereby return their default settings (new tab, homepage and default search provider). KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the machine.
Download Kaspersky virus removal tool (KVRT) from the following link.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is complete, you’ll see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for checking your system for the Cryptomix ransomware and other malicious software. This procedure may take quite a while, so please be patient. While the KVRT program is checking, you can see count of objects it has identified as threat.
When finished, Kaspersky virus removal tool will prepare a list of unwanted and adware as displayed below.
Once you’ve selected what you want to delete from your personal computer press on Continue to start a cleaning process.
How to restore files encrypted by Cryptomix
In some cases, you can recover files encrypted by Cryptomix ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Restore encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Download ShadowExplorer on your Microsoft Windows Desktop by clicking on the link below.
439623 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to launch it. You will see the a window as on the image below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point as shown in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed in the following example.
Use PhotoRec to restore files encrypted by Cryptomix
Before a file is encrypted, the Cryptomix ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software like PhotoRec.
Download PhotoRec by clicking on the link below. Save it on your Desktop.
After the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as on the image below.
Select a drive to recover as shown on the image below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as on the image below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, press on Quit button. Next, open the directory where restored files are stored. You will see a contents as displayed in the figure below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your PC system from becoming infected by Cryptomix virus?
Most antivirus software already have built-in protection system against the virus. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your PC system from Cryptomix virus
Download CryptoPrevent by clicking on the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the install is complete, you will be shown a window where you can select a level of protection, as shown in the figure below.
Now click the Apply button to activate the protection.
To sum up
Now your PC should be free of the Cryptomix virus. Delete KVRT and MalwareBytes AntiMalware (MBAM). We suggest that you keep Zemana (to periodically scan your machine for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Cryptomix virus from your computer, then ask for help in our Spyware/Malware removal forum.
