Cry128 Ransomware : How To Remove & Recover Enciphered Files


Cry128 Ransomware Shows up on the Web in 2017

Cry128 Ransomware has been brought to the security analyst’s attention in the beginning of April 2017. This ransomware is a new variant of the Russian-originated nasty CryptON ransomware infection, which started to appear in several security forums in December 2016. After analyzing the initial characteristics of this malware, the researchers quickly made the conclusion that it must be another version of HiddenTear ransomware project. So far, it has been reported that the threat infects targeted machine through Remote Desktop Protocol services, which allows the hackers to log into the server of victims’ computer and execute the malware processes.

Working Principles of Cry128 Ransomware

Once the operators of Cry128 Ransomware gain access to the compromised system, it will encode all the files stored on victim’s computer. However, the ransomware exclude C:\Program files, C:\Windows, and the user profile folder from the file encryption procedure. As a result, system boot operation and critical processes of the machine are not impacted. Depth-analysis on this malware reveals that it relies on the modified version of AES encryption algorithm which works on the 128 byte blocks and also with the 1024 bit keys in the mode of ECB. Moreover, this destructive computer virus will delete the computer’s recovery points, thus Shadow Volume copies cannot be used by the victims of Cry128 Ransomware in order to recover the files encoded by this malware. However, it does not contain the list of file that it encrypts. Once it locks the system files, it appends one of the following weird file extension:

  • .id__gebdp3k7bolalnd4.onion._’
  • .id-_[].63vc4

Based on the research report, all the enciphered files appear to be 132 bytes larger as compare to it original version, after the encryption procedure is completed. Contrary to its previous version, Cry128 Ransomware uses a payment portal which is hosted on TOR and Tor2web links in order to make the ransom payment website more accessible for the less-skilled computer users. However, you should never try to pay the ransom money demanded by the virus developers. In this case, you can download the decryption tool from Emsisoft’s decryptor website, after removing the malware completely from your system.

Expert’s Conclusion

Experts explain that Cry128 Ransomware is only the outcome of destructive minded people’s exploration to create a means for monetizing themselves. Therefore it is needless to say that if any victimized user think to pay according to published ransom note then it would be only the wastage of money. In place of that users must backup their all important files and data to maintain these in safe condition. And also they should prefer the use of reliable anti malware tools to remove Cry128 Ransomware and to prevent PC from future attack.

Follow Steps to Delete Cry128 Ransomware from PC

STEP I: How to Start PC in Safe Mode with Network

In order to isolate files and entries created by Cry128 Ransomware, users need to follow the below mentioned steps.

  1. Select WIN Key + R in Combination

winr2. This will open a Run Window, Now Type “msconfig” and hit on Enter.

3. Now a Configuration box will appear. Now select the Tab named as “Boot”

4. Click and mark “Safe Boot” option >> go to “Network”

5. In order to Apply the settings, Select on OK

Step B: How to Restore System During Cry128 Ransomware Attack

Still, if you are facing problem in rebooting PC in Safe mode, opt for System Restore. Follow the steps given below.

Prss F8 continously until you get Windows Advanced Options Menu on Computer Monitor. Now Choose Safe Mode with Command Prompt Option and Tap enter


In the Command Prompt Windows, you need to type this command : cd restore and Select Enter



Now type rstrui.exe as command and press on Enter


This will open a new window to Restore System Files and Settings. Click on Next to proceed.


Restore Point is to be selected from the date you want to restore back your system as it was earlier to Cry128 Ransomware attack


Step C Another method for recovering your decrypted files are file recovery software

If above methods are not successful you can go for file recovery software. It can be helpful in recovering your encrypted files as Cry128 Ransomware first makes a copy of original files and then encrypt it. After encryption it deletes the original files. So there is high probability that these file recovery software can help you in recovering your original files.

Step: D Know How to Restore Shadow Copies of Encrypted Data

In certain cases, if Cry128 Ransomware has not deleted the Shadow Copies of the data then it can be easily restored using ShadowExplorer. (Know how to install and use ShadowExplorer)