Data Recovery Pit

The Data Recovery Expert

How to Recover .crypt Files

Recover .crypt Files

Do some or all of your files suddenly have a .crypt file extension and won’t open? You have the ransomware named Crypt or CryptXXX to thank for that. It doesn’t choose which type of file or the number of files it encrypts, nor does it spare you of malice. This scummy ransomware uses powerful ciphers such as AES or RSA and even mocks you in a .txt ransom file. Even worse, paying won’t do much – they can and will encrypt your files again to extract more cash. Luckily, you probably won’t have to shell out anything – you have us to teach you how to recover .crypt files. Let’s begin.

1. Exhaust all options outside of decryption

We already discussed how to recover ransomware-encrypted data in the past. Although we weren’t specific about decryption tools (which we’ll fix in a moment) the majority of steps remain valid. Most important point: hold off on paying the ransom or wiping the drive – there’s a lot you haven’t tried. You should, however:

  • Isolate the computer
  • Verify that files are truly encrypted, not merely hidden
  • Restore from a backup
  • Report the event to the authorities

2. Recover .crypt files via Kaspersky RannohDecryptor

Out of options already? Don’t fret, here’s a decryption tool developed to deal with Rannoh ransomware e.g., “Trojan-Ransom.Win32.Rannoh”. It was maintained and updated over time, which means you can use Kaspersky RannohDecryptor to recover .crypt files:

  1. Start by downloading Rannoh Decryptor.
  2. Open it and click on Change parameters.
  3. Select the drive types (HDD, network, or removable) to scan.
  4. Tip. Do not put a checkmark in front of Delete encrypted files after decryption unless you’re 100% sure you can open your files.
  5. Click on Start scan.
  6. Select the encrypted .crypt file.
  7. Select the file that was encrypted then decrypted. CryptXXX decrypts one file as a sign of goodwill.
  8. Kaspersky RannohDecryptor will scan your storage for all files that have a .crypt file extension and begin trying to decrypt them.
  9. Depending on the version of CryptXXX (v3 being the worst) this can take a long time.
  10. Tip. The utility will create a log file at the following location
    C:\RannohDecryptor.1.1.0.0_19.06.2021_15.31.43_log.txt

3. Recovering files with a .crypt extension via Kaspersky XoristDecryptor

Don’t despair if the utility above doesn’t do the job. Kaspersky has two more lined up, the first of which is made to fight “Trojan-Ransom.Win32.Xorist” and “Trojan-Ransom.Win32.Cryit”. Like the one above, its capability increased over through years. Therefore, restoring files with a .crypt extension via Kaspersky XoristDecryptor works like this:

  1. Download and launch XoristDecryptor.
  2. Follow steps 2-9 above.
  3. Tip. We’ve found that rebooting your computer after the scan is complete might be necessary.
  4. Again, a log will be in the system drive root folder, named:
    XoristDecryptor.Tool_version_date_time_log.txt.

4. Restore .crypt files using Kaspersky RectorDecryptor

Although “Trojan-Ransom.Win32.Rector” doesn’t encrypt such a wide variety of files (it focuses on JPEG, RAR, DOC, and PDF), it’s still a worthy competitor against CryptXXX ransomware. It can also battle Hanar, Rakhni, and Xorast ransomware. For that reason, follow these steps to attempt .crypt file recovery via Kaspersky RectorDecryptor:

  1. Download and run Kaspersky RectorDecryptor.
  2. Follow steps 2-5 in the Rannoh guide.
  3. This tool doesn’t need to analyze a decrypted file. Point it toward either a single encrypted file or copy all encrypted files into a single folder, then specify its file path.
  4. Again, the scan can take a while and you can find the log in C:\, titled:
    RectorDecryptor.Tool_version_Date_Time_log.txt.

5. Utilize data recovery software for partial restoration (Last resort)

We’re sad to say this, but the bad guys will never stop and security companies such as Kaspersky usually win the battle for a brief period. Case in point, CryptXXX has 5 versions, each better than the next. They’ve moved from creating .crypt to .crypz, and .5 random hexadecimal characters in the first 3 versions. Similarly, CryptXXX v4 and v5 use an MD5 hash number.5 hexadecimal characters file extension to extort users. What’s more, ransomware named “Chimera” has started using a .crypt file extension for their evil plans. So, while waiting for the encryption to be broken by a security company, use data recovery software for ransomware to scan for remains. Also, increase your security by installing antivirus software from Avast, Norton, Avira, or Malwarebytes.

Next Article