How to Decrypt CryptoDefense Files/Recover Files Encrypted by CryptoDefense (HowDecrypt)

How to Decrypt CryptoDefense Files (HowDecrypt)

1 Star2 Stars3 Stars4 Stars5 Stars (17 votes, average: 5.00 out of 5)

Recover files excypted by CryptoDefense

How to Decrypt CryptoDefense Files (HowDecrypt):

CryptoDefense is a completely new ransomware trojan similar to Cryptorbit, HowDecrypt, and CryptoLocker which targets computers running Windows operating system. CryptoDefense has been released at the end of February and it appears that it is a hybrid of Cryptorbit which will fully encrypt your data compared with its predecessor.

When activated, CryptoDefense encrypts certain types of files stored on your local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers. CryptoDefense leaves access database files untouched, but does encrypt .doc, .xls, and .bmp, .txt, images and videos.

CryptoDefense will create How_Decrypt.html, How_Decrypt.txt and a shortcut to How_Decrypt.html in every folder that a file was encrypted. These files contain instructions on how to pay the ransom.  Furthermore, CryptoDefense will create a HKCU\Software\<unique ID>\ registry key and will store configuration information in it. Moreover, all encrypted files will be listed under HKCU\Software\<unique ID>\PROTECTED key. The malware then displays a ransom message which offers to decrypt the data for bitcoins, which are worth about $500. However, after 4 days, the cyber crooks will actually double the ransom and now they will ask for bitcoins, worth $1000. If the payment is not made by the stated deadline, CryptoDefense threatens to delete the private key.

Thanks to the guys from Emsisoft and, there is a way to recover your corrupted files, or at least most of them. (*PLEASE DO NOT ATTEMPT TO DECRYPT YOUR FILES BEFORE REMOVING THE ACTUAL INFECTION)

If you notice that you are infected, we at recommend you to download SpyHunter Malware Security Suite from our web page: in order to automatically remove the active infection. However, be advised that even when the infection has been removed successfully, your files will still be encrypted. Once you get rid of CryptoDefense  (learn how to in our article HERE), you can try to recover your files using the limited methods below:

How to Recover Files Encrypted by CryptoDefense:

*Please note that there are limited methods of decrypting the files encrypted by CryptoDefense. The infection may also delete all your Shadow Volume Copies. The only certain way to restore your files is by using a backup copy.

You can try to restore your files from a system backup. If a backup is not available, then you can attempt to recover your files using the Shadow Copy Service. Since Windows XP Service Pack 2 there is an implemented feature called Shadow Copy Service that, if enabled, will automatically create backup copies of your files. This method may not work, as CryptoDefense attempts to clear your shadow copies when it is installed.

1. How to restore files using the Shadow Copy Service:

Method 1. Using native Windows Previous Versions:

*Be advised that the Windows System Protection option must have been enabled prior to the infection for this method to work.

1. Right click on the corrupted file and select properties from the drop-down menu;

2. Go to “Previous Version” tab (If the tab is missing then it means that Windows System Protection option hasn`t been enabled);

3. Choose the latest previous version copy and click on the Copy button, then select the directory you wish to restore the file to. If prefer to restore the selected file directly, click on the Restore button.

This method can be used to restore an entire folder as well. Right-click on the selected folder and choose Properties and then Previous Versions tab.

Method 2. Using Shadow Explorer:

You can also use a program called Shadow Explorer to restore entire folders. You can download the program from the following link:

When you download and run the program, you will see, on the left side, a list of your available drives. Next, you will see the dates that a shadow copy was created. You can select the drive and the date that you wish to restore from.


2. How to recover files encrypted by CryptoDefense using Emsisoft Decryptor

If you were infected by CryptoDefense on April 1st, 2014 or before that, then there is a chance you can recover the decryption key. There is a flaw in the early versions of CryptoDefense that leaves the public decryption key stored on the user`s machine. Fabian Wosar of Emsisoft discovered the flaw and developed a decrypter. Unfortunately, newer versions of CryptoDefense no longer leave the key behind. Thus, if you were infected with CryptoDefense before the aforementioned date, you can attempt to retrieve the key and decrypt your files:

1. Please download from the link below:

2. Once you have the file downloaded, right-click and select “Extract All”. When the process completes, all files will be extracted to a folder. You will see two files: CryptoOffense.exe – you can use it only if you want to decrypt encrypted files using a different computer.

The second file is decrypt_cryptodefense.exe. This is the tool that you can use to automatically extract the encryption key from your computer in order to decrypt your files. Please make sure that you temporarily disable your anti-virus system for the time of decryption as it may interfere with the decrypter.

3. Launch the decrypt_cryptodefense.exe

4. Click on the “Decrypt” button to start the decryption process. Emsisoft decrypter will recursively scan all folders that are added for encrypted files. Then, the program will attempt to retrieve the decryption key from the logged in account. If a key is found, a message like the following will be shown:

Loaded private key from current user’s key storage!

Then the decrypter will automatically start to decrypt the encrypted files on your machine. The process can be time-consuming. While the tool is decrypting your files it may look like it stalled or froze on a certain file and to appear that it`s not responding. This is normal. Please be patient and do not be concerned.

If Emsisoft decrypter is unable to retrieve the key, it will display a message shown below:

No CryptoDefense key found

Unfortunately, this means that it will not be able to decrypt your files.

If the program was able to retrieve the key, but you are receiving errors that state “File could not be decrypted properly”. “Skipping …” means that your key may have been overwritten. In such case, there is one possibility to recover your decryption key. The key is saved in %appdata%\Microsoft\Crypto\RSA folder. If there is a present Shadow Copy of the folder, you can try to recover it to a previous state. After that, run the decrypt_cryptodefense.exe once again and check if you can retrieve the key in order to restore your files.

Unfortunately, if the above methods do not work, the last option will be to restore your files from a backup copy (if any). 

To successfully remove and learn more about the newest ransomware CryptoDefense, please read our article HERE.

To successfully remove and learn more about Cryptorbit or HowDecrypt ransomware, please read our article HERE.

To learn how to recover your files encrypted by older ransomware like Cryptorbit or HowDecrypt, please read our article HERE.

There are 56 comments left Go To Comment

  1. mycom /

    the problem had been solved.
    download at
    How to restore files encrypted by CryptoDefense using the Emsisoft Decryptor

  2. Dylan /

    I used the Emsisoft Decrypter and it worked! Thank you so much!!
    I knew I was able to do this when I moved my mouse over one of the encrypted files and it said: ‘Date Modified: 3/14/2014’ and I knew I might have a chance as this is before April 1. And now it’s decrypting heaps of stuff. Thanks!

    1. Troy Smith /

      Hey Dylan,
      We are very glad that you’ve managed to recover all your data!


  3. Joseph /

    Hi there! On August 26, 2014 have been infected by the virus Trojan Win32 CryptoDefense / Harasom.A and despite having cleaned up my system I find myself with all the files and encrypted with the extension .ctb2. How do I restore it? I also tried restoring the configuration on another date but nothing.

    Pending thank you in advance.


  4. Greg Beck /


    I have been infected with the Critroni Variant and all my pictures have also been encrypted to the CTB2 extension.




    1. Jason Smith /

      Hello Greg,
      can you please tell me what is the file extension after Citroni has encrypted your files – it should be either .CTBL or .CTB2 ?!


      1. Greg /


        It is ctb2.


        Grr g

        1. Jason Smith /

          Hello Greg,
          Unfortunately, your files are encrypted with the newest Citroni ransomware and at this time it is impossible to decrypt .ctb2 files, however I would advise you to try and search for Previous Versions of your files (if Citroni didn’t wipe out your backups of course). Please take a look at the link below to see how to use the Shadow Explorer:

          I hope you get your files back.


  5. Dave /

    Also got all my files on a external hard drive infected and with a .ctb2 extension,
    waiting for somebody who knows how to decrypt. Virus is already removed.

    How long is it going to take approximatly? Need the files back 🙁

    1. Jason Smith /

      Hey Dave,
      Unfortunately you are asking me a very difficult question and I don’t have an exact answer – it might take a week or several months. The thing is that without the encryption keys, nobody can decrypt your files (in a reasonable time period). I guess that a joint-venture operation of the major government cyber-crime divisions from several continents will be needed (just like in Operation TOVAR) to seize the Command & Control (C&C) servers, which are holding the keys for this extortion business.Just like what they had done with the CryptoLocker –


  6. Anne Loraditch /

    Hello – We were hit with the CryptoWall ransom virus this past week. We found the infected machine and quarantined all malicious files. Unfortunately, we had no choice but to pay the ransom for our data as we had no shadow copies and no back up copies of anything. We were given instructions to download a .zip file, which purportedly had an executable file (decrypt.exe) in it. Alas, upon extraction, the only file in the .zip folder is a KEY file titled “secret.key” I realize this may be the answer to our prayers (we hope!) but, since there was no .exe file in the .zip folder, we are at a loss what to do next. Does anyone have a copy of the decrypt.exe file they could send us? Is there a way to use the KEY file to decrypt our data without the decrypt.exe file?

    I have been dealing with this for 5 days straight & feel very much like I am fighting the darkest forces of evil. Any help is greatly appreciated.

    Thanks very much in advance,

    1. Jason Smith /

      Hello Anne,
      I would suggest you to do the following:
      1. Download the following file:
      Right click the file and choose – Extract all … A new folder will be created and there should be 2 files:
      CryptoOffense.exe & Decrypt_cryptodefense.exe

      2. Copy the secret.key file, which was sent to you to the newly created folder and then run the decrypt_cryptodefense.exe

      Now when you run decrypt_cryptodefense.exe, it will automatically load the proper secret.key file and then the decryption process will start.

      I wish you the best of luck with this operation!


  7. Sphiwe Manana /

    Simply right click any file that is infected and click on previous version, copy to a different directory; it should work. Right click your user profile, select previous version, copy, and welele you have your information back. Its actually a very dumb virus.

    1. Jason Smith /

      Hey Sphiwe,
      and thank you for your comment. Actually the main problem with this virus is that sometimes it deletes the Shadow Copies of all the files, so previous versions are unavailable or they might be also corrupted. I hope that you will be able to recover all your files and that the virus won’t remove any of your Shadow Copies!


  8. Verhofstadt Andre /

    I have the Same problem since yesterday , all my jpg ( 10.000) have the extensions ctb2 and are encrypted, These files are from my daughter since she was born , realy a catastrofe . I have placed a Back-up over my bootdrive and my system works perfect but all my files who where on on another drive on my system were encrypted! Can somebody please help me with this ?

    1. Jason Smith /

      Hey Andre,
      the ctb2 file extension means that your computer was infected with the Citroni Ransomware, which uses RSA-2048 encryption, which is impossible to brake, unless you have a billion computers working together for a month. I would suggest you to try and restore your .jpg to some “previous version”, which is before the actual infection. You can also try the to try and retrieve your key.


      1. Verhofstadt ANDRE /

        Dear Jason
        I have tried this site :
        I have filled in my email adres and a fille with ctb2 extention . When I click Decript the file was sending and I get the following message :
        ” Invalid file.
        The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file. ”
        What is the problem here ???

        best regards


  9. Verhofstadt ANDRE /

    Dear Jason
    Thans for your answer but I don’t have previous copies or shadowfiles of my jpg files. I just have a Back-up of my bootdrive witch I have put back . The Citroni Ramsomware seems to be gone , the jpg and other files are on 2 other drivers in my Pc and have the ctb2 extensions . Is it possible there is coming a solution in the feature ? Can I let the encrypted files on my system waiting for a solution without risk ?
    My wive , my little girl and myself are desperate losing all the foto’s of the last 15 years , all our memoires gone .


  10. Mark /

    Dear Jason
    How can i remove this file extension owhknql
    i searched on internet but no results found.does anyone have this problem too.
    And knows how to fix it

    1. Sathish /

      Hi Mark,
      Even one of our systems got affected with some kind of virus and all files got some extension named zscbezh. Have u got any solution?

  11. sebastien /

    I Have the same problem, in fact my PC got infected with cryptowall v3.0 virus.
    i formatted my PC and now i need solution to decrypt files.
    please keep me informed if you have solution.

  12. Alvin /


    I have been infected with the Critroni Variant and all my .jpg, .pdf ,.xls, and .doc have also been encrypted to the CTB2 extension.
    I don’t have previous copies or shadowfiles



    1. Jason Smith /

      Hey Alvin,
      Currently there are no Critroni decryption tools available. Security companies from all over the world are looking for a solution, however at this time there is nothing that can help you.


      1. Verhofstadt Andre /

        I hope someone find a solutionto for this , I lost more than 5.000 fotos since the birth of my only child because of that . All my memories one in one second . I have copied all these files on an extern USBHD but the moment of infection that drive was connected with my computer .

        1. Jason Smith /

          Hey Andre,
          Photos are always bad news! I’ve lost a lot of photos last year – with the first version of the Cryptorbit. Now I’m using web space to store photos and I’m very happy with it!
          This is the problem with the external hdd-s they are just not a proper solution – no incremental backups, no recovery options. I mean – for the average user – this should of be more then enough but these crooks have found a by-pass and now, we should pay because of it! I Hate them really! I hope that (like that last year) some serious company will “spear” the “poor user” and will upload all the keys from the Command and Control servers of these jerks!


          1. Verhofstadt Andre /

            Hi Jason

            Thanks for your answer , I hope someone find the solution and if you hear or read something that can help me I will thank you very mutch if you let me know


          2. Jason Smith /

            Hi Andre,
            You may count on me. I will email you as soon as some new development pop-out! Like I said – last year an international task force managed to retrieve large quantity of keys from the cyber crooks Command & Control servers, which led to creation of a website, on which people could check if their data can be decoded with one of the keys they had found! I hope they do the same thing this year!


          3. Verhofstadt Andre /

            Thanks Jason , I count on it

          4. Greg /


            Please keep me in the I lost pictures as well.



          5. Jason Smith /

            Hi Greg,

            I’ve just made you a “follower” of this conversation.


  13. Guruprasad /


    i got a mail and i have open that, after some time and i have restarted the desktop.
    i noticed all the files have extension .bcfyheh and all the files got corrupted please help me to find the solution for the problem

    Thanks in advance
    Guruprasad P

  14. Leon /

    I got the RSA-2048 Cryptowall virus which locked all my files. All my files show date modified and won’t open. If there something I can buy to decrypt this?

    1. Jason Smith /

      Hey Leon,
      Unfortunately at this moment there is no decoding solution (that will work in the next 100-150 years) for the RSA-2048bit encryption. It is military grade encryption and only massive computer farms are capable of delivering that much computation power. I would suggest you to try to search for backups, however if you didn’t made any try to search for the previous version (or shadow copies) like described in the above post and finally if these documents are that important – your only option is to pay the ransom. Usually I don’t advise people to pay the ransom money, but if the documents are really that much important – you have no other choice but to pay the $$$!

      I would advise you not to believe anybody, who tells you that he/she/it is possible to decode your files with some kind of a software – the only way is to have the private key, generated by the ransomware and sent to the Cyber Criminals command and control servers!

      Jason Smith

  15. Steven VP /

    Friday our servers were infected by one single computer (who is now found, and Cryptowall 3.0 virus was removed).
    Unfortunately we did not notice until Saturday, and in the night our servers sync to a backup server. So all infected files are also on our backup server. Result, we cannot open any file anymore in our servers, but also not in our backup servers.
    We did not work with versions on the backup, so no way to go back.

    We did pay the bad guys, and we got a zip file back, with a decrypt programm and a public and private key.

    Only problem, when we run the .exe, from the infected machine, it says “database found, 209158 files were encrypted, do you want to start automatic decription”. we say “yes” and program starts to decrypt, only each file it attempts it gets an error like ” Error:1xffffff”.

    and all the files remain encrypted.

    We are running a (small) compagny and I need acces to those files again! Can anyone help me please?

    (i deleted all antivirus, run programm as administrator,…)

    regards, steven.

    1. Jason Smith /

      Hello Steven,

      If I was in your situation, I would probably move all the files to a clean newly installed machine and then I would try to decrypt them – try x64 and x86 OS, because it seems that it matters what operating system the decryptor is running. If I have another idea I will write you another message! One more thing – just try to increase the size of your swap file. If it doesn’t work try troubleshoot the problem with the procmon tool from the SysInternals Suite. Just take a look at the video from the link below:

      Jason Smith

  16. Stephen Hayward /

    I got hit with the CryptoWall 3.0 ransomware on April 2, and was able to use Shadow Copies to recover what was on my C: drive. But the NAS drives are still encrypted. I tried your software, and it reported that it found my key, but when the scan is finished it shows that no files were decrypted. Is there anything else I can try?

  17. Solszew /

    Today I am attacked by virus of [email protected] (may be Troyan, but I am not sure, because AVG programme cannot catch this virus). All my documents, fotos are blocked by this virus.
    All now have name [email protected]
    and are nor posible to open.

    Do you know how to decode my files?

    Thank you in advance for your support

  18. Zomer /

    Hello, I was infected by Cryptowall 3.0 on march 25. I found the directory: appdata\microsoft\crypto\rsa\machinekeys\. Here is a file with a long name. When I run the program ‘decrypt_cryptodefense.exe’ right away: no private key has been found. What should I do? I think the key is in the file…. I also put this file in the same directory as cryptodefense.exe under the name: secret.key. No result. I disabled anti malware. I have admin right.
    Could you please help me?

  19. bret /

    My small business was infected with the RSA-2048 virus on 04/18/15 (HELP_RESTORE_FILES.TXT). I refuse to pay ransome, please notify me if there is a fix or key in the future. Thank you

    1. Jason Smith /

      Hey Bret,
      and sorry about the delay! Once again thank you for your interest in our website. Upon your request I’ve already subscribe your email to receive information about the solution for decoding the ghastly RSA-2048 encryption. I can assure you that, once a solution comes out – you will be one of the first to know about it!


  20. Ronaldo /

    Hi Jason

    I hope you will find a solution


  21. Stacie /

    Hi, Please keep me informed of new apps to decrypt my files that were encrypted by Cryptowall 3.0… I have my private keys and have tried everything avail. so far and can not decrypt my files… I dont know what to do with these private keys!!!!!
    Thank you

    I have tried decrypt found my keys but doesnt fix my files

    1. Jason Smith /

      Hey Stacie,
      I’ll put you in the waiting list! When something new comes up – you will be notified!


  22. Grega /

    Hi, it’s something new about program to decrypt files encrypted by CyptoWall 3.0. My PC was infected 9.6.2015 with CryptoWall 3.0!!

  23. Jose Espinoza /

    Some clients was infected at Jun-24 , shadow deleted and all files infected , including backup. I appreciate some news about how decrypt files.


  24. Rob Ohlson /

    I was hit with the dreaded Cryptowall 3.0 virus on July 10th, 2015. Most of my files were of no importance except for (2) Excel sheets that I really need that have years worth of information in. Any updates are appreciated if a solution is found for this. THanks!

    1. Jason Smith /

      Hey Rob,
      I’m sorry to hear, that you was struck by the nasty Cryptowall virus as well. We will keep you informed, if something new comes up!


  25. Getulio /

    I’m infected with this hellware and I already tried everything and the program don’t found a key, it says to run in the machine that is infected etc… I’ve lost 250gb of files, including year of personal photos that I haven’t “backuped”.. I have a encrypted and same file decrypted, I’m just figuring out how to use this to decrypt files… sad, so sad…

    1. Getulio /

      sorry, * doesn’t found

  26. Joshua Koilpillai /

    My computer was infected on July 5th, 2015 and all my files, word, excel, pdf, jpg, mov were encrypted.

    1. Jason Smith /

      Hey Joshua,
      Sorry to hear that, try to use the shadow explorer, restore points or some other software like R-Studio, it might work for you!!!


  27. Eric /

    I have recently been infected with the Ransomware…looks to be Cryptowall 3.0. I put everything in C:/ Backup and restarted Windows 7 Home Professional from scratch. I can see the files in back up…they have the .abc format…even if I manually switch the pictures to JPEG it still says it won’t show the picture. All my music files are the same but Itunes recognizes them and still plays them. Is there a way to save my pictures? It said I have no back up point even though it did every Wednesday night I thought.

  28. Shezad /

    Hello I was attacked by cryptowall virus and my files on my partition D also were encrypted. Please help me how may I decrypt them. I have formatted my system drive but those on D cannot be opened. What should I do.

  29. lani /

    I was attacked by cryptowall virus and all my files docs, xls, jpeg were encrypted. How can I decrypt them? I updated my win 7 to windows 10 and finally virus were gone but all the files are still encrypted. Is there a way to decrypt them aside from paying ransom to those idiots?

    1. Jason Smith /

      Hey Lani,

      I’m very sorry to tell you this, but the encoding is very complicated and there is no hope if you don’t have offline backups or some cloud backups created prior infection – everybody that is telling you otherwise is simply laying you!


  30. Jason Smith /

    Hello there,

    A bit of good news – the TeslaCrypt developers now released the master key for their ransomware infection – you can download a decryption tool, developed by the ESET from the following link:

    TeslaCrypt Decryption Tool

    The master key (HEX) of the TeslaCrypt ransomware is:


    More information here:

    Jason Smith

Leave a Reply

BOT Check: * Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.