Crypt38 Ransomware

What is Crypt38 Ransomware?

Ransomware infections are serious threats that enter systems without permission and then immediately start performing activities on the infected computer. Crypt38 Ransomware is a newly released infection that is targeted at people living in Russia. We believe so because it shows the ransom note which is written in Russian after it encrypts files. Yes, you have understood correctly, Crypt38 Ransomware is going to lock files you have on your computer like similar ransomware infections prevalent on the web these days. To be honest, it has been developed to extort money from computer users, so it is definitely not going to act somehow differently. As we have already mentioned, Crypt38 Ransomware is targeted at those living in Russia; however, other people might allow it to enter their systems as well, especially if their computers are not fully protected from harm, i.e. users do not have security software installed.test

What does Crypt38 Ransomware do?

Specialists are sure that you will immediately understand if Crypt38 Ransomware sneaks onto the computer because this infection will lock the majority of files in the blink of an eye. It has been found that this ransomware adds the .crypt38 to each of the encrypted files, so it will not be difficult for you to say which of the personal files have been locked. Crypt38 Ransomware encrypts .xls, .ibooks, .dbf, .cer, .torrent, .key, .csv, .xml, .dwg, .pdf, .txt, .cpp, .pass, .php, .cs, and a bunch of other personal files. Fortunately, this ransomware infection will not touch files that are located in Windows, Program Files, Program Files(x86), and msocache directories, which means that you could easily access the Internet using your default browser, and it will not be hard to erase this threat.

Once Crypt38 Ransomware finishes encrypting files stored on the computer, it shows a message on the user’s screen saying that files are encrypted and users have to pay 1000 rubles (~$15) for the decryption key. Find the text of the ransom note translated from Russian by specialists working at below:

Your data is encrypted!

The cost of deciphering : 1000 rubles Unlock Code : *********

Your ID: {ID}

Send it to [Decrypt]

Do not delete or edit files .crypt38 and virus files, or it will not be possible to restore files!

Even though the sum of money Crypt38 Ransomware asks to pay users for the decryption of files is quite small, we still do not think that it is a good idea to pay money for cyber criminals because there is a way to decrypt files free of charge. To be honest, specialists have found it rather easy to create the decryptor because Crypt38 Ransomware, unlike other ransomware infections prevalent these days on the web, uses the symmetric encryption algorithm. It means that the encryption key is the same as the decryption key. The decryptor ( can be downloaded from the web. You will find this software easily using your search engine.

Where does Crypt38 Ransomware come from?

Crypt38 Ransomware is usually spread through spam emails. Yes, it pretends to be a decent attachment in most cases, which explains why there are so many computer users who get infected with this ransomware. According to specialists at, it is very likely that the malicious file which comes as an attachment usually pretends to be a good file, e.g. an invoice, so it is not surprising that users open it themselves without further consideration. You should ignore all spam emails you get because you always risk infecting your PC with malware by opening such letters. Also, security experts recommend installing reputable security software like SpyHunter. It will protect your PC from harm 24/7.

How to delete Crypt38 Ransomware

It has been noticed that Crypt38 Ransomware creates the following files: .exe file, request.bin, and a bunch of encrypted files. In addition, it adds its own Value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. In order to eliminate the ransomware, you need to remove its main .exe file and then eliminate the Value from the Run registry key. In the case of request.bin and encrypted files (those that contain the .crypt38 extension), you should keep them in order to be able to unlock files using the decryptor. If, for any reason, this is impossible, you should remove these files as well. After doing that, you can try to recover your files from a backup (e.g. USB flash drive). Users who need some help with the Crypt38 Ransomware removal should read instructions provided below the article. Do not forget that this ransomware might not be the only threat existing on your computer, so it would be smart to scan the system with an automatic scanner as well.

Delete Crypt38 Ransomware

  1. Open the Windows Explorer (Win+E).
  2. Move to C:\Users\user\AppData\Roaming\Microsoft\Windows .
  3. Find and delete the .exe file (e.g. lsass.exe).
  4. Remove request.bin and all the encrypted files (only if the decryptor does not work!).
  5. Check C:\Users\user\AppData\Roaming.
  6. If you find files mentioned in 3-4 steps, delete them (request.bin and those encrypted files should only be removed if the decryption tool does not work).
  7. Launch RUN (Win+R).
  8. Enter regedit.exe in the box and click OK.
  9. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  10. Locate the lsass Value (the name might be different) containing data AppData\Roaming\Microsoft\Windows\lsass.exe.
  11. Right-click on it and select Delete.
  12. Empty the Recycle bin and reboot your PC.

If you have any questions regarding the removal of Crypt38 Ransomware, do not hesitate to contact us via the comment box you will below.

100% FREE spyware scan and
tested removal of Crypt38 Ransomware*

Leave a Comment

Enter the numbers in the box to the right *