Crystal Ransomware Removal Guide

Crystal Ransomware is a newly discovered ransomware that should be released pretty soon. An unfinished version of this ransomware has been leaked to the Internet. We have tested this ransomware and, in this article, will discuss how it works and how you can remove it. We do not have any information that would suggest that it is distributed in its current form and there is no reason why it should be because it would not encrypt your files if it were to infect your PC because it requires certain conditions to do that. Our research has revealed that it can encrypt files in a testing environment. To find out more about this new infection, please read this whole article.

Testing has shown that, when the main executable is launched, Crystal Ransomware creates two copies of itself in %APPDATA% and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. The executable file is named randomly, but there is a naming pattern: the name is always consist of 8 symbols and includes numbers and characters. The characters can be upper-case and lower-case. This ransomware also creates a Point of Execution (PoE) in the form of a registry key named CRYSTAL that is placed in HKCU\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run. This key is set to execute this ransomware’s executable on system startup.

Crystal Ransomware is set to connect to 127.0.0.1:100 to receive instruction on what to do. Its list of possible instructions includes flooding using UDP, TCP or HTTP protocol. Furthermore, it was set to get Filezilla credentials, disable Firewall (using netsh.exe Firewall set opmode disable and netsh.exe Firewall set opmode enable commends,) and disable Task Manager (by creating a registry key at Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr|0.) This ransomware was designed to bypass the UAC (User Account Control) and run on system startup.

Once executed, Crystal Ransomware is set to start encrypting. However, as previously mentioned, it requires specific conditions to do that. If the executable is runs on a random computer, then it does not encrypt anything. Again, this ransomware is still in development, so it not yet set to encrypt files of random people. It uses Advanced Encryption Standard (AES) algorithm to encrypt the files. This algorithm ensures a strong encryption that cannot be easily cracked. Testing has shown that this ransomware was set to encrypt files located in %USERPROFILE%\Documents, %USERPROFILE%\Picutures, %USERPROFILE %\Desktop, % USERPROFILE %\Downloads, % USERPROFILE%\Music, %USERPROFILE%\Videos, and %USERPROFILE%\OneDrive. While encrypting, it appends the file with a custom ".CRYSTAL" which acts as a file-marker indicating that a file has been encrypted. As a result of the encryption, the files cannot be opened, and their contents cannot be accessed. As far as we can tell, Crystal Ransomware targets, images, videos, audio files, documents, file archives, and so on. In short, it targets files that can have added value to you. The objective is to compel you to pay a ransom. However, the version we have tested did not even drop a ransom note, so there is no information on how to pay the ransom and how much you might have to pay.

That is all of the information currently available about this unreleased infection. Nevertheless, it is evident that it is set to be a highly effective sophisticated ransomware that will be able to encrypt many of your most valuable files. To remove this ransomware, we have composed a manual removal guide, but you can also use an anti-malware program to do that for you. We recommend our featured SpyHunter anti-malware tool which will make light work of this particular ransomware.

How to remove this ransomware

1. Hold down Win+E keys.
2. Type %APPDATA% in the File Explorer’s address box, and press Enter.
3. Find the randomly-named executable file.
4. Right-click it and click Delete.
5. Then, type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and press Enter.
6. Find the randomly-named executable and delete it.
7. Go to the folders indicated below and delete the main executable file.
   • %USERPROFILE%\Desktop
   • %USERPROFILE%\Downloads
   • %TEMP%
8. Locate the executable and delete it.
9. Close the File Explorer.
10. Hold down Win+R keys.
11. Type regedit in the dialog box and press Enter.
12. Navigate to HKCU\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run
13. Find the subkey named CRYSTAL
14. Right-click it and click Delete.