View All R&D Articles

CryptorBit (or HowDecrypt) Ransomware Infection & Decryption Services

September 12, 2016

CryptorBit ransomware started infecting computers in December of 2013. It targets Windows operating systems and encrypts all files on the computer, regardless of their extension. CryptorBit is closely related to CryptoLocker, whose creators extorted approximately $3 million in less than a year of its operation.

If you believe that CryptorBit ransomware has infected your computer, call at 1-800-237-4200 to discuss your options with a malware expert. We can help you remove CryptorBit permanently and determine an appropriate recovery option for your unique situation. Read on for more information about CryptorBit.

What is CryptorBit Ransomware (And How Does It Work)?

Like all ransomware, CryptorBit is a program that encrypts files on an infected computer and then demands a payment for the decryption key. Without the key, decrypting affected files is nearly impossible.

Here are some of the distinguishing features of CryptorBit:

  • The ransomware encrypts all files, as opposed to targeting just specific file types (as is the case with most ransomware). This makes CryptorBit an especially crippling program for business networks, since it can even affect proprietary and specialized formats.
  • Its ransom message demands a specific payment that can vary from victim to victim. Early versions of CryptorBit demanded $500, but newer versions have demanded two bitcoins, which is around $1150 (as of writing). Because of the high cost of the ransom, many computer users choose to simply reformat their machines. This does not necessarily provide complete protection against further infections.
  • CryptorBit can bypass the Group Policy settings that normally prevent malware from infecting a computer. It creates a text file (HowDecrypt.txt) and a gif (HowDecrypt.gif) in each directory. These files offer instructions for paying the ransom.
  • It installs additional software on infected computers that mines digital cryptocurrency. This allows the attacker to use the victimized computer to make small amounts of money during the infection.
  • The CryptorBit ransom payment site is on the Tor network, which helps to mask the identity of the programmers behind the malware.

CryptorBit has an unusual encryption method in that it only encrypts the header (usually the first 512 bytes) of a file. This renders the files unusable, since programs can’t interpret the corrupted header. However, this feature also allows trained data recovery specialists to repair the headers and decrypt individual files for many file types. This can be a cumbersome process, but it’s a valid option in many cases.

How Does CryptorBit Ransomware Infect My System?

CryptorBit infects computers by disguising the malware as a Flash update or an anti-virus program. When the victim clicks on the disguised malware, the program begins encrypting files. Once that completes, the program leaves a file named HowDecrypt.txt on the infected computer. Because of this file, CryptorBit is sometimes referred to as HowDecrypt.

The HowDecrypt text file instructs the victim that they must pay a particular amount of money using Bitcoin. The ransom note also indicates that the victims will receive a decryption key within 10 days of payment.

As with all malware, prevention is far easier and cheaper than removal. Always keep your computer up-to-date, and never click on suspicious links or attachments in emails, even from people you know. Ransomware can be crippling once it is on a computer, but if you protect yourself with a firewall, an antivirus program, and common sense, it will not be able to affect you.

Can I Disable CryptorBit Ransomware Encryption?

The best way to restore files affected by CryptorBit is to use backups. Also Windows Shadow Volume Copies aren’t affected by the ransomware. However, users should take extreme caution when restoring from a backup, particularly if the system is still infected.

Various programs claim to offer decryption for CryptorBit victims, but these programs aren’t always effective for all file types and may overwrite important data. Victims must also remove the digital currency miner, which will otherwise use the computer’s resources to make money for the attacker. As such, we recommend using professional services to clear ransomware infections.

Contact the ransomware team at to discuss options. Whether you need to restore one infected file or all of the files on your computer, our specialists can find a secure, cost-effective option that protects your private data while permanently removing the CrytorBit ransomware from your machine. Call 1-800-237-4200 to get started.