View All R&D Articles

CrypMIC Ransomware Infection And Decryption Services

August 17, 2016

CrypMIC is a new family of ransomware that targets and encrypts files on Windows computers. It became widely known in July 2016, and it is extremely similar to CryptXXX, a powerful and ever-changing type of malware.

If you believe your computer is infected with CrypMIC, turn it off and disconnect it, and call Datarecovery.com. Our security experts have experience with various malware applications, and can help you make a plan to restore the encrypted data. Call 1-800-237-4200 to discuss your options.

What is CrypMIC Ransomware (And How Does It Work)?

CrypMIC targets 901 different types of files on the targeted computer and renders them unusable by encrypting them with a sophisticated cryptosystem. The attackers demand a ransom payment in order to receive a private key, which can decrypt your files. The ransom is typically 1.2 to 2.4 bitcoins, which currently translates to $735 to $1470.

Key attributes of CrypMIC include:

  • CrypMIC attempts to delete shadow copies of files in order to make recovery more difficult. Windows creates Shadow Copies to allow users to recover their files after unexpected events; by destroying these files, CrypMIC can completely prevent a simple recovery.
  • The malware can encrypt files on removable and network drives. It uses AES-256 encryption, but claims to use RSA 4096.
  • Its README file contains a note that attempts to frighten victims into paying the ransom as quickly as possible.
  • The program claims that the ransom will double if not paid promptly.
  • While it provides a decryption tool, numerous users have complained that the decryptor functions poorly.

While some experts are referring to CrypMIC as a CryptXXX copycat, we cannot find evidence that the program was created by the same team. Payment of the ransom does not guarantee that your files will be decrypted; according to Trend Micro, the CrypMIC decryptors have not functioned properly, so we do not recommend paying the ransom outright.

CrypMIC currently does not have the ability to harvest credentials and other important information from infected computers. In this respect, it is notably less powerful than CryptXXX.

How Does CrypMIC Ransomware Infect My System?

CrypMIC spreads to computers when people click on a link in an infected email. The email has a link that claims to contain tracking information about a shipment. Victims click on a link, and the malware spreads to their computers. The virus quickly begins encrypting files on the primary machine, attached media and mapped network drives.

CrypMIC targets the following extensions:

.3fr, .7z, .accdb, .ai, .apk, .arch00, .arw, .asset, .avi, .bar, .bay, .bc6, .bc7, .big, .bik, .bkf, .bkp, .blob, .bsa, .cas, .cdr, .cer, .cfr, .cr2, .crt, .crw, .css, .csv, .d3dbsp, .das, .dazip, .db0, .dba, .dbf, .dcr, .der, .desc, .dmp, .dng, .doc, .docm, .docx, .dwg, .dxg, .epk, .eps, .erf, .esm, .ff, .flv, .forge, .fos, .fpk, .fsh, .gdb, .gho, .hkdb, .hkx, .hplg, .hvpl, .ibank, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .jpe, .jpeg, .jpg, .js, .kdb, .kdc, .kf, .layout, .lbf, .litemod, .lrf, .ltx, .lvl, .m2, .m3u, .m4a, .map, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mlx, .mov, .mp4, .mpqge, .mrwref, .ncf, .nrw, .ntl, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p7b, .p7c, .p12, .pak, .pdd, .pdf, .pef, .pem, .pfx, .pkpass, .png, .ppt, .pptm, .pptx, .psd, .psk, .pst, .ptx, .py, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rtf, .rw2, .rwl, .sav, .sb, .sid, .sidd, .sidn, .sie, .sis, .slm, .snx,.sql, .sr2, .srf, .srw, .sum, .svg, .syncdb, .t12, .t13, .tax, .tor, .txt, .upk, .vcf, .vdf, .vfs0, .vpk, .vpp_pc, .vtf, .w3x, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .xxx, .zip, .ztmp, wallet

This may not be a comprehensive list, and new variants of CrypMIC may target additional file types.

Can I Disable CrypMIC Ransomware Encryption?

There is no available decryptor for CrypMIC. If you believe your machine is infected with CrypMIC, turn it off and call Datarecovery.com to discuss your case.

While CrypMIC attempts to delete shadow copies, it is not always successful, and Datarecovery.com’s engineers can perform a detailed analysis to determine recoverability. As ransomware experts, we are familiar with various encryption and decryption technologies, and we exhaust every possible option to restore your files. As a last resort, we can also organize secure Bitcoin payments, analyze recovered data for additional malware, and avoid reinfection.

Call 1-800-237-4200 to begin the process of restoring your files.