Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crowti.A - CryptoDefense

  • This topic is locked This topic is locked
1 reply to this topic

#1 nicojelek


  • Members
  • 1 posts
  • Local time:08:46 AM

Posted 04 May 2015 - 05:54 PM

Hi, i have a PC that 90% of my photo (.jpg) and most of .docx .doc, etc files can't be opened. it says the file is crypted and i sugested to pay some $. 

and there is a HELP_DECRYPT.html on my desktop. i scan that file on virustotal.com and only 1 antivirus (Microsoft) found a Ransom:HTML/Crowti.A.  Avira free antivirus & windows defender found nothing when i tried to scan the HELP_DECRYPT.html. 

i'm also tried to scan a .jpg and .docx that corupted. but those file are clean. i copy those file to different computer but still can't be opened. 



i delete the HELP_DECRYPT.html (i know this will not completely remove the virus) . and now im trying to find something that can save my data. then i find about CryptoDefense and exactly is my problem.


please and thx for your assistance.. 

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,087 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:46 PM

Posted 04 May 2015 - 07:29 PM

Crowti is generic name and results in CryptoWall 90% of the time. As such, it brands itself as CryptoWall or CryptoDefense when it informs victims their data has been encrypted. Like CryptoWall, Crowti directs its victims to a Tor page and gives them instructions on how to purchase Bitcoin to unlock their information.

Similar to CryptoWall, a fairly recent Cryptolocker variant, Crowti uses a valid digital signature to appear legitimate and then, once installed, demands users pay in Bitcoin to purportedly decrypt their files.

- CryptoWall 3.0 leaves files (ransom notes) named:

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall (including versions 2.0 & 3.0) does and provide information for how to deal with it. Cryptowall typically deletes (though not always) all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try. At this time there is no fix tool and Decryption of any CryptoWall Files...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

There are also lengthy ongoing discussion in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users