Cryptedx Ransomware

Cryptedx Ransomware Description

Type: Ransomware

The Cryptedx Ransomware is a file encoder Trojan that was announced on cybersecurity blogs on January 9th, 2017. The initial threat analysis suggests that the Cryptedx Ransomware is a modified version of the Xorist Ransomware. The Xorist family of file encoders is known to include half a dozen strands that include the Crypto1CoinBlocker Ransomware, the Blocked2 Ransomware, the Zixer2 Ransomware and the XRat Ransomware. Computer security analysts note that the Cryptedx Ransomware functions as a generic crypto-threat. The payload is delivered via macro-enabled Microsoft Word files that are disseminated using spam emails. However, cracked copies of shareware may be used to deliver the Cryptedx Ransomware Trojan to users directly as well.

The attack does not take long to manifest as the Cryptedx code is small in size and it is executed with administrative privileges. That way, the Cryptedx Ransomware manages to scan local memory drives and delete the System Restore points relatively fast. The threat is observed to report successful infiltration to remote servers and include the user's keyboard layout, IP address, computer name, active username and installed software. Additionally, the Cryptedx Ransomware Trojan generates a pair of decryption and encryption keys before it proceeds to encode the targeted data. The Cryptedx Ransomware Trojan is designed to encipher photos, music, videos, office documents, eBooks, PDFs and databases. The Cryptedx Trojan is recorded to add '.cryptedx' to the file names and something like 'Meyendorff Castle.jpeg' is renamed to 'Meyendorff Castle.jpeg.cryptedx.' We have seen Cryptedx delete the Shadow Volume snapshots as well, and disable the native recovery features in Windows 10, Windows 8, Windows 7 and Windows Vista. Affected PC users are shown a file called 'HOW TO DECRYPT FILES.txt,' which is loaded in the Microsoft's Notepad desktop app and offers the following information:

'Attention! All your files are encrypted!
To restore your files and access them,
please send a mail to

You have 5 attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!
WTF !'

The threat creators may offer help with decoding the affected data if you send an email to '' and transfer a 100 USD worth of Bitcoin (≈0.006570 BTC) to their digital wallet — 13dYEREjhp5Hde3n5CsV15TFj5PB4nm1md. You may notice that the desktop background image is changed to a black screen that features the name 'CRYPTEDX RANSOMWARE' and the message shown above. We advise against interaction with the threat operators because they may ask questions about the native of the affected data and more money. There is no way to know if they will cooperate and sell you the decryptor you need. A safer and smarter alternative is to use backup images for the recovery process, but you will need to remove the threat with the help of a reputable anti-malware solution.

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.