Crysis Ransomware Removal Guide

Do you know what Crysis Ransomware is?

Crysis Ransomware is yet another Trojan horse infection that holds a user computer hostage demanding a ransom payment. It comes from a group of dangerous computer threats that do not beat around the bush. You may remove Crysis Ransomware from your computer, but the damage inflicted will not disappear because the payload of the program is different from that of the primitive rogue antispyware applications or the early Ukash ransomware infections. This program knows exactly what it wants from you, and it tries its best to push you into giving away your money.

Currently, it is not clear how much the cyber criminals expect you to pay for the decryption key. In order to find out, the infected user has to send out an email to the given address. Here is the ransom note that you will see on your screen when Crysis Ransomware enters your computer:

Attention! Your computer was attacked by virus-encoder.
All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the with subject “encryption” stating your id.
Write in the case, do not waste your and our time on empty threats.
Responses to letters only appropriate people are not adequate ignore.

P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email

As you can see, the criminals waste no time trying to convince you that your files were encrypted for some legitimate reason. They only want you to contact them ASAP stating your ID. Crysis Ransomware and other ransomware infections create unique user IDs for each infected computer so that their creators would know which infected computer contacts them. This proves that the infection maintains communication with its command and control center (C2). Quite often, ransomware programs initiate the file encryption only when they get a response from the C2 that the infiltration was confirmed.Crysis Ransomware Removal GuideCrysis Ransomware screenshot
Scroll down for full removal instructions

Also, please take note that the message gives you a secondary email address in case the first one would not work. This shows that there is a chance Crysis Ransomware is using proxy servers for C2 communication, and proxy servers might be taken down any time if the service providers find out their servers are being used for malicious purposes. Thus, it shows that the communication channels between Crysis Ransomware and its C2 are not too reliable. In the worst case scenario, the criminals behind this may not even know that you have paid the ransom fee if the communication servers get taken down.

That is why computer security experts strongly oppose paying the ransom fee. There is the moral aspect to this because succumbing to the demands of criminals does not help anyone. However, at the same time, from the practical point of view, you have to consider that paying may not be the answer. Due to the possibility that Crysis Ransomware may lose contact with C2, there is also a chance that you would not receive the decryption key even after you transfer the payment. Hence, you would only lose your money, and your files will remain encrypted.

Unfortunately, the ransomware program employs the AES encryption to encrypt all of your files. Our research shows that the program encrypts all file extensions for all programs. Once the encryption is complete, you will no longer be able to open any of the programs, except for Internet Explorer. This is obvious because the criminals need to you to send out the email somehow.

You can delete Crysis Ransomware by following the instructions we provide below this article. However, the best way to get your files back is to restore them from the backup. It may not be possible to restore them from the Shadow Copies because ransomware programs tend to delete those early on. Your best shot would be restoring your files from cloud drive or an external hard disk. This is exactly what computer security specialists point out all the time.

As for your computer security status, you should invest in a licensed antispyware tool that would help you scan your PC and locate other potential threats. You can actually avoid Crysis Ransomware and other similar infections if you stay away from spam email messages and unfamiliar websites that might have malicious exploits, leading to a malware infection. Nevertheless, if you are not sure of your skills, you can always contact a professional or leave us a comment. We will reply as soon as possible.

How to Remove Crysis Ransomware

  1. Press Win+R and the Run prompt will open.
  2. Type in %LOCALAPPDATA% and press OK.
  3. Find an executable (.exe) file with a random name and delete it.
  4. Repeat steps 1 to 3 in the following directories:
    %UserProfile%\Local Settings\Application Data

Take note that the random name file has to have the SAME NAME in all the directories!

Delete the Crysis Ransomware Run Key

  1. Press Win+R and type regedit into the Open box.
  2. Click OK to access Registry Editor.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Locate the random name run key associated with Crysis Ransomware.
  5. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  6. Repeat the action in step 3.

Change Your Wallpaper

  1. Go to your Documents folder.
  2. Locate a random name image file.
  3. Delete the file.

In non-techie terms:

Crysis Ransomware is a malicious computer infection. This program wants your money, and it tries to extort it by encrypting your files. This means that you can no longer open any of your programs and only the people behind Crysis Ransomware have the key that could restore your files. Needless to say, you should remove this application and everything related to it from your system without any further ado. Paying the ransom would only encourage the criminals behind this infection to expand their operation, so you should never succumb to their demands.