After the .Crash Virus encrypts all of your files it will leave a RETURN FILES.txt file with instructions for you to follow:

All FILES ENCRYPTED “RSA1024”
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL ii05635@aol.com
IN THE LETTER WRITE YOUR ID, YOUR ID
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: ii05635@aol.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The encryption that Ransomware infections like .Crash, .Cezor or .Lokas place on your files is usually highly sophisticated and getting your files back isn’t easy, and, what’s worse, may sometimes not be fully possible at the given moment. One of the worst things about Ransomware cryptoviruses is how stealthy they typically are – the encryption used by them isn’t a process that is actually damaging to your files or system. The encryption locks the user data found on the attacked computer but the files do not get damaged by it – they simply become inaccessible, which is, after all, the whole goal of the Ransomware infection. Once it makes sure you are unable to open any of your important pieces of data, it shows you a message on your screen, through which the infection informs you that the supposed only way to retrieve your files would be if you pay the hackers a certain sum. Of course, such payments are rather risky – sending the money to a bunch of cyber criminals doesn’t exactly guarantee that the encryption would be lifted from your files. All that it guarantees is that the money you send to the hackers would be gone forever and that the criminals would know know that you are somebody who is willing to pay for their files. But if paying the money is not a good option, then what is? Well, sadly if you are infected by a Ransomware, your options are quite limited and, as we mentioned at the start of this post, full recovery of the locked files may not always be possible. This is especially true if talking about .Crash, because .Crash Ransomware is a new cryptovirus and one that needs to be further researched by the security specialists. If you have gotten your files locked by its encryption, there may be no fully effective way of bringing everything back. Still, this doesn’t mean there isn’t anything that can be done – quite the contrary.

Can I remove .Crash myself?

 Use the instruction from the .Crash Ransomware removal guide that you will find here and complete each and every step described in the guide to remove the virus – this is the first and most important thing you need to do if you have been attacked by such a virus. The next thing we’d advise you to try is opt for the suggested data-restoration methods we have here, on our site. They my not work in all instances and may not allow you to bring all of your data back but it is still a good idea to give them a try – our suggestions do not involve any ransom payments and may still help you bring some of your valuable files back to their accessible state. Also, do not forget to check all of your other devices, external drives, flash memory sticks, online accounts and clouds for any forgotten copies of any of the files that have gotten encrypted on your computer. If you find anything, simply copy It back on your computer once you have removed .Crash Virus.

SUMMARY:

[add_third_banner]

Remove .Crash Ransomware Virus

1: Preparations

Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.

2: Task Manager

Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.

If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.

Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.

3: IP related to .Crash

Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.

Find where it says Localhost and take a look below that. 

If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the .Crash.

[add_forth_banner]

4: Disable Startup programs

Re-open the Start Menu and type msconfig.

Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10,  it will send you to the Startup part of the task manager instead, as in the picture:

If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious as there could be a link between them and .Crash , disable those programs and select OK.

5: Registry Editor

Press Windows key + R and in the resulting window type regedit.

Now, press Ctrl + F and type the name of the virus.

Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.

6: Deleting potentially malicious data – .Crash

Type each of the following locations in the Windows search box and hit enter to open the locations:

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Delete everything you see in Temp linked to .Crash Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.

7: .Crash Decryption

The previous steps were all aimed at removing the .Crash Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.

The post Remove .Crash Ransomware Virus (+File Recovery) appeared first on Malware Complaints.