CryptFile2 Ransomware Removal Guide

The devious CryptFile2 Ransomware is primarily targeted at the US government and state departments linked to education and health, as well as telecommunication and insurance companies, but regular users are not safe either. In the past, this infection was spread with the help of exploit kits; however, in the recent times, this ransomware was mainly spread via spam emails. The launcher of this infection is camouflaged as a simple Microsoft Word file, so that users would not expect a threat. Moreover, the spam email carrying this malicious file can introduce you to false information. Our researcher has revealed that the ransomware uses American Airline offers to lure users in. Regardless of how nice and intriguing the offers might be, you have to be careful; otherwise, malware will slither in without any warning. Unfortunately, even if you delete CryptFile2 Ransomware as soon as you realize that it has encrypted your personal files, they will remain corrupted.

Once the malicious CryptFile2 Ransomware enters your operating system, the malicious .exe file will be copied to %APPDATA%. This file should have your personal ID attached to it – the same ID that we will mention later in this repot – which should help you identify the malicious file. We have also found that this threat creates POE Run registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce. Needless to say, it is important to delete the malicious executable, as well as the registry entries, and we show how to do that in the manual removal guide below. Unfortunately, as mentioned previously, once CryptFile2 Ransomware encrypts your files, it does not matter whether or not you eliminate this infection right away because that will not fix your problems. Speaking of the files, this ransomware targets all kinds of personal files (e.g., .zip, .rar, and .wma), and, after encrypting them, it attaches the monstrous “.id_[personalid]_email_[ransomemail].scl” extension to them. As you can see, this extension includes your personal ID, as well as the email address that you are expected to use to communicate with cyber criminals and get a decryption key.

As you might have noticed already, the “HELP_DECRYPT_YOUR_FILES.TXT” file is placed in every folder and subfolder containing encrypted files. This file represents the ransom message, and it contains your unique ID as well. The ID is necessary for cyber criminals to identify their victims. If they cannot identify you, they cannot provide you with the right decryption key, which is also known as “private key.” Of course, no one can promise you that this key will be shared with you even if you pay the ransom. Although the TXT message does not reveal the amount that cyber criminals expect you to pay for the private key, you will get more information regarding the payment as soon as you send your ID to enc3@usa.com or enc3@dr.com. The ransom note also includes two other email addresses that are identified as “spare emails.” You have to think very carefully about how you proceed. If you contact cyber criminals, they will record your personal email address. If you agree to pay the ransom, you might lose your files as well as your money. In general, we do not recommend paying the ransom, but we understand if you want to take the risk to free your personal files. If you have backups, do not worry about it at all.

There are two removal methods that you need to think about. Of course, most users wish to remove CryptFile2 Ransomware manually, but that is not the best option. The guide below explains how to locate and erase all malicious components associated with the ransomware. Unfortunately, we cannot guarantee that this will be enough to clear your operating system. If you choose to move on with the guide below, install a malware scanner afterward to check for leftovers, as well as additional infections. You will not need to worry about this if you install anti-malware software. This software was designed to scan your operating system, detect malicious infections, and initiate complete removal. The biggest issue that you will find if you do not install this software is further protection of your operating system. Even experienced users are unlikely to be capable of successfully guarding their operating systems manually.

How to delete CryptFile2 Ransomware

1. Delete the HELP_DECRYPT_YOUR_FILES.TXT file from all folder/subfolders that it exists in.
2. Tap Win+E keys to launch Explorer and enter %APPDATA% into the address bar.
3. Delete the malicious file with your ID in its name.
4. Tap Win+R to launch RUN and enter regedit.exe into the dialog box.
5. In Registry Editor go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
6. Delete the value named SecurityFlashPlayersHardWare.
7. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce .
8. Delete the value names SecurityFlashPlayers32.
9. Perform a full system scan to make sure that no other components were left behind.