How to Decrypt Cryptorbit Files/Recover Files Encrypted by Cryptorbit (HowDecrypt)

How to Decrypt Cryptorbit Files (HowDecrypt)

1 Star2 Stars3 Stars4 Stars5 Stars (20 votes, average: 5.00 out of 5)
Loading...
How to Decrypt Cryptorbit Files (HowDecrypt)

How to Decrypt Cryptorbit Files (HowDecrypt)

Cryptorbit or HowDecrypt is a ransomware trojan, which targets computers running Windows operating system. Cryptorbit was first seen in January 2014. Here we will try to explain how to decrypt Cryptorbit files.

When activated, Cryptorbit encrypts certain types of files stored on your local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers and leaves Howtocrypt ransom files. The malware then displays a ransom message which offers to decrypt the data if a payment is made by a stated deadline, and threatens to delete the private key if the deadline passes. The payment should be made either through Bitcoins or other untraceable virtual money or some widely used pre-paid vouchers – of course, Cyber Criminals are heavily depending on the anonymity, so the payment methods should be untraceableCryptorbit will scan your files and encrypt them regardless of the file type. It will also create a HowDecrypt.txt and a HowDecrypt.gif in every folder that a file was encrypted.

CryptorBit does not actually encrypt the file. What it does is that it corrupts the header of the file by replacing the first 512 bytes. The infection copy the original file header encrypts it and stores it at the end of the file. Then it will create a different 512-byte header and replaces the original. Once this process is completed, a program that would try to open the file will read the unknown header and it won`t be able to open it. Thanks to the guys from BleepingComputer.com, there is a way to recover your corrupted files, or at least most of them. (*PLEASE DO NOT ATTEMPT TO DECRYPT YOUR FILES BEFORE REMOVING THE ACTUAL INFECTION)

If you notice that you are infected, we at MalwareKillers.com recommend you to download SpyHunter Malware Security Suite from our web page: http://www.malwarekillers.com/download-page/ in order to automatically remove the active infection. However, be advised that even when the infection has been removed successfully, your files will still be encrypted. Once you get rid of Cryptorbit  (learn how to in our article HERE), you can try to recover your files using the methods presented below:

How to Recover Files Encrypted by Cryptorbit:

You can try to restore your files from a system backup. If a backup is not available, then you can attempt to recover your files using the Shadow Copy Service. Since Windows XP Service Pack 2 there is an implemented feature called Shadow Copy Service that, if enabled, will automatically create backup copies of your files.

1. How to restore files using the Shadow Copy Service:

Method 1.

Using native Windows Previous Versions:

*Be advised that the Windows System Protection option must have been enabled prior to the infection for this method to work.

1. Right click on the corrupted file and select Properties from the drop-down menu;
2. Go to “Previous Version” tab (If the tab is missing then it means that Windows System Protection option hasn`t been enabled);
3. Choose the latest previous version copy and click on the Copy button, then select the directory you wish to restore the file to. If prefer to restore the selected file directly, click on the Restore button.

This method can be used to restore an entire folder as well. Right-click on the selected folder and choose Properties and then Previous Versions tab.

Method 2.

Using Shadow Explorer:

You can also use a program called Shadow Explorer to restore entire folders. You can download the program from the following link: http://www.shadowexplorer.com/downloads.html

When you download and run the program, you will see, on the left side, a list of your available drives. Next, to it, you will see the dates that a shadow copy was created. You can select the drive and the date that you wish to restore from.

Method 3.

Using Archive Software

(Suggestion by BleepingComputer Forum Member: zlia) Original post here

He suggests the use of archive software, which can open XSLX and DOCX files and allow you to modify the content. He used 7-zip. This is small, free and easy to use archive software. You can download 7-zip from here: http://www.7-zip.org/.

To recover an excel or word file with 7-zip:

  1. 1. Open 7-zip and navigate to the XLSX file that you need to recover.
  2. 2. Right-click and select 7-zip > open archive -> the contents of the file will be opened in a new window.  There should be 3 folders and one XML file.
  3. 3. Find and copy an existing uninfected XLSX file to the desktop. It`s very important that the file you are copying has been in use and has been formatted in some way. If you use a new excel file for the steps below, some of the information may not be recovered.
  4. 4. Open the main 7-zip window (the one with the file tree) and navigate to the CLEAN excel file (the one that you just copied to the desktop), then right-click and select 7-zip > open archive
  5. 5. A new 7-zip window will open showing the 3 folders and the single XML file for the CLEAN excel file. Arrange the 7-zip windows for the encrypted file and the CLEAN excel file side by side (it is easier this way), select the 3 folders within the CLEAN excel file and delete them
  6. 6. Select the 3 folders from the encrypted excel file and drag&drop them in the 7-zip window for the CLEAN excel file.
  7. 7. Close both 7-zip windows and open the CLEAN excel file. Excel might show a warning message saying that it found unreadable content in the file that you are trying to open, and will ask you if you want to recover the contents of the workbook -> click yes.
  8. 8. You should have your original file back in working order.

If these methods do not help you, there is still hope! The BleepingComputer.com member Nathan Scott, (nickname: DecrypterFixer), has developed a program that will allow you to recover JPG, PST, MP3, PDF, DOC, and XLS documents that have been encrypted by Cryptorbit called DecrypterFixer’s tools.

2. How to recover files encrypted by Cryptorbit using the DecrypterFixer’s Tools:

Nathan Scott`s tools can repair different types of files encrypted by Cryptorbit. Currently, you can recover corrupted PST, JPG, PDF, MP3, DOC, and XLS files. In order to use the tools, you must have Microsoft Net Framework 4.0 or higher installed on your computer.

  1. 1. To repair your files, you will have to download the Anti-CryptorBitV2.exe tool from the link: http://download.bleepingcomputer.com/cryptorbit/Anti-CryptorBitV2.zip;
  2. 2. Run the Anti-CryptorBit.exe program;
  3. 3. Choose a recovery method to run, and follow the instructions.

To successfully remove and learn more about Cryptorbit or HowDecrypt ransomware, please read our article HERE.

To successfully remove and learn more about the newest ransomware called CryptoDefense, please read our article HERE.

To learn how to decrypt files encrypted by CryptoDefense, please read our article HERE.

There are 9 comments left Go To Comment

  1. Vaibhav /

    Thank you very much for JPG and Office file fixes…How do we recover Video files affected by Cryptorbit. Any chances of including that in the Anti-CryptorBit exe.

  2. Alfredo /

    Alguien que me pueda ayudar con un desencriptador para archivos dwg

  3. Amar /

    Thank you for all the information and time everyone has put in to help everyone.

    I have some word docs (.doc) that were inffected and I’ve tried DecrypterFixer’s Tools and the 7-zip method but no luck – is there anything else anyone can suggest? had has worked for them?

  4. Isabella /

    Is there any way of finding out who created this virus?

  5. Mark /

    None of the above worked for me. Every file on my computer is gone. IF anyone can help I would greatly appreciate it.

  6. John-Doe /

    I’m using: JPEG Recovery (JPEG); Stellar Phoenix PDF Recovery (.pdf), Stellar Phoenix Word Repair (.doc), Remo Repair AVI (.avi) and Anti-Cryptorbit (working with some other files).

    1. Jason Smith / Post Author

      Hey John-Doe,

      Thank you for sharing your experience, can you please confirm that you’ve managed to successfully recover files using the programs, mentioned above?!
      Thank you once again for your information!

      Regards!

  7. Rk /

    Any solutions for XP?

    1. Jason Smith / Post Author

      Hey Rk,

      I’m not aware of any solution for Windows XP and cryptowall encryption! Sorry about the bad news!

      regards
      malwarekillers.com

Leave a Reply

BOT Check: * Time limit is exhausted. Please reload CAPTCHA.