I wrote this article to help you remove Crysis Ransomware. This Crysis Ransomware removal guide is working for all Windows versions.

Crysis ransomware is a win-locker. It is also known by the name Virus-encoder. The rogue program encrypts the personal files on the targeted computer. Crysis ransomware can lock documents, images, audios, videos, archives and other file types. The owners of the clandestine program demand a ransom to provide a decoder. They state the cryptography algorithm the win-locker uses cannot be broken.

How does Crysis ransomware damage the computer?

The win-locker deploys RSA and AES-128 encryption algorithms to lock files. These technologies create a strong cipher. Crysis ransomware appends the .CrySiS suffix to the names of all infected files. The encryption process occurs on the background.

Crysis ransomware creates three files to explain the purpose of its actions. They are called ransom notes. The furtive program changes the desktop wallpaper with a custom image, containing a brief message. It is titled Help_Decrypt_FILES.bmp. The other two notes are placed in each folder where encrypted files are located. They are named Help_Decrypt_FILES.html and Help_Decrypt_FILES.txt.

The developers of Crysis ransomware ask victims to contact them. They provide the following email address as a form of contact: dalailama2015@protonmail.ch. The sender has to write “encryption” in the subject field and list his assigned ID. Crysis ransomware generates a unique ID for every instance of infection.

The user has to wait for a reply to receive instructions on the payment process. Some win-lockers state the demands of their creators within the ransom note. The developers of Crysis ransomware give the least amount of initial input. They should respond to the email within 48 hours. If the user does not get a reply by then, he has to send the same message to an alternative address: goldman0@india.com.

According to reports, the cyber criminals behind Crysis ransomware ask for different sums in separate cases. This explains why the amount of the ransom is not listed in the notes. Users have reported sums, ranging from $100 to $700 USD. When a win-locker determines different ransoms, the reason can be the content of the encrypted files. If the hackers consider your data important, they will ask for more. They may access your files or just go by their number. Your geographic location could also be a factor.

Keep in mind that making a deal with cyber criminals is risky. Paying the ransom does not guarantee that your files will be restored. They could collect the money without proceeding to take any actions afterwards. This is a common occurrence with ransomware programs.

How was my system infected with Crysis ransomware?

The most common method of distributing Crysis ransomware is through spam e-mails. The shady program can be secluded within an attachment. The sender behind the bogus message will tell you the file is an important document of some kind, like a receipt, a notice, an invoice, a bank statement, a bill or a fine. Opening the attachment can be enough to transmit the win-locker to your system. Every time you receive an email, you should check the sender’s contacts to confirm he is who he claims to be.

Drive-by installations are another common way of spreading Crysis ransomware. This process can be initiated by entering a corrupted website or clicking on a compromised link. You need to be careful about your sources. Make sure they are reliable.

Another option for Crysis ransomware is to travel in a bundle with another software application. This technique is seldom used. To avoid letting the win-locker into your system with another program, read the terms and conditions of the tools you install. If there are extra programs included, deselect them. They could be malware in disguise. Keep in mind that freeware and pirated programs are the most common hosts for viruses. It is best to avoid unsolicited software.

Crysis Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Crysis Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Crysis Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete