Crypt38 Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 612
Category: Trojans

We want to inform you about a new ransomware-type infection called Crypt38 Ransomware. This malicious application is distributed using deceptive methods that infect your PC secretly, so you should remove it. This piece of programming is extremely dangerous because, when it enters a computer, it encrypts certain file formats in pre-set locations and demands that you pay a ransom to get them back. This infection can outright ruin your files if you do not have an antimalware program to prevent it from infecting your PC.

Even though this infection is dangerous, it has many bugs and, therefore, we think that a decryption program should appear soon. So you should search the web for it if you have determined that your files have been encrypted by Crypt38 Ransomware. In any case, you should consider protecting your computer by installing a powerful antimalware tool that could stop this ransomware dead in its tracks. Our featured antimalware tool SpyHunter is more than capable of preventing this infection from entering your PC and removing its files post infection if it is installed after the infection has occurred.

While researching this malware, we found that it has been configured to encrypt files in certain directories that include Windows, msocache, Program Files, and Program Files(x86) folders. Furthermore, it is set to encrypt dozens of file formats that include without limitation .txt, .pdf, .html, .rtf, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .jps, .bmp. It must be noted that the .crypt38 file extension is added to all encrypted files. Once the encryption process is complete, this ransomware generates a ransom message that should appear on each system boot up. Note that the message is in Russian language, so it most likely originated in Russia or one of its neighboring countries where Russian is still prevalent.

The cyber criminals ask you to pay 1, 000 rubles that are approximately 15 USD or 13 EUR. Not a substantial amount of money for most, but we do not recommend that you pay it even if you have the means because you might never receive the decryption key. Frankly, cyber criminals do not care about your files, and they make false promises to convince you to pay. In fact, there is no indication that Crypt38 Ransomware is even capable of accepting a decryption key that could return your files to normal. You have to contact the cyber criminals via email and it is said that they will provide you with the rest of the instructions.

As far as this ransomware’s distribution methods go, we believe that it is distributed using email spam that contains malicious attachments. These attachments can come in the form of a self-extracting file archive, or disguised executable that when launched drops the malicious payload in C:\Users\user\AppData\Roaming\Microsoft\Windows. In the sample we have tested, Crypt38 Ransomware’s executable was named lsass.exe. In addition, this ransomware consists of two other files named request.bin and encrypted. Furthermore, all of the files might be copied to C:\Users\User\AppData\Roaming. Lastly, it creates a registry key at KCU\Software\Microsoft\Windows\CurrentVersion\Run that launches the ransomware on system start up. Its Value name is lsass, and the Value data should feature AppData\Roaming\Microsoft\Windows\lsass.exe or the other aforementioned directory.

If you want to get rid of this infection, you have to delete its files manually. We have included a manual removal guide at the end of this article. However, if you encounter problems, please leave a comment in the comments section below and we will get back to you as soon as possible. Nevertheless, you can opt for automated removal with SpyHunter, an antimalware tool that is fully capable of eradicating Crypt38 Ransomware. Now, at this point in time, there is no free decryption solution, so if your files have been encrypted by this ransomware, then delete it and wait for the decryption tool to arrive. Search the web, be persistent and you will get it.

Manual Removal

  1. Simultaneously press Windows+E keys.
  2. Go to the following locations and delete lsass.exe, encrypted, and request.bin
    • C:\Users\user\AppData\Roaming\Microsoft\Windows
    • C:\Users\User\AppData\Roaming
  3. Empty the Recycle Bin.
  4. Then, simultaneously press Windows+R keys.
  5. Enter regedit and press OK.
  6. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  7. Locate lsass and delete it.
Download Remover for Crypt38 Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Crypt38 Ransomware Screenshots:

Crypt38 Ransomware


Your email address will not be published.


Enter the numbers in the box to the right *