CryptoGod Ransomware

You may find removing CryptoGod Ransomware from the system is not an easy task. According to our researchers, it does not block the screen, but it can disable your Task Manager, Command Prompt, and Registry Editor. It looks like the infection’s creators did everything in their power to stop the user from erasing the threat since the mentioned tools do not work even in Safe Mode. Fortunately, we know how to enable these tools again and also how to get rid of this malicious application manually. The deletion part will be explained in the last paragraph, while the rest of the text will tell you all important details related to the malware’s working manner and its distribution. At the end of the article, users can find a step by step removal instructions too; to make it easier to eliminate CryptoGod Ransomware.

Our researchers report the malicious application should be spread in usual ways, for example, Spam emails, false updates, malicious program installers, and so on. To stay away from threats alike in the future it would be advisable to pay more attention to the data you download from emails or doubtful file-sharing web pages. In case it is impossible to determine whether the file is safe to interact with, we recommend scanning it with a reliable antimalware tool. However, if the user acts carelessly and opens CryptoGod Ransomware’s launcher without checking this file first, the device might get infected instantly.

For starters, the malware should begin encrypting its targeted data. Unfortunately, it appears the malicious applications has a huge list of various extensions it is programmed to go after, for example, pfd, .pfx, .pg, .php, .pic, .pl, .plb, .pls, .plt, .pma, .pmd, .png, .pns, .por, .pot, .potm, .ppj, .potx, .pp4, .pp5, .ppam, .ppf, .pps, .ppsm, .ppsx, .ppt, and so on. Once the targeted files get encrypted with a secure cryptosystem, they should be marked by a second extension called .payforunlock (tulip.jpg.payforunlock, text.docx.payforunlock, etc.). The next CryptoGod Ransomware’s move should be to create a Registry entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run directory. There the threat is supposed to create a value name called CryptoGod. The purpose of it is to allow the malware launch itself automatically. Therefore, even if you close the infection by clicking ALT+F4, it might relaunch itself after some time.

Moreover, as we explained at the beginning of the text, CryptoGod Ransomware is supposed to make sure the computer’s user will not be able to open Task Manager and other useful tools that would help during the threat’s removal. Nonetheless, its last task is the ransom note’s display. The provided message explains to the user what happened to his computer and files located on it. Also, it instructs you how to make a payment to the hackers’ account. If you believe what these people say the encrypted files should be unlocked after the transaction is confirmed.

The suspicious part is that the hackers do not explain how you will be able to decrypt your data. We would be against paying the ransom in any case, but due to the lack of important details about the decryption part, we want to stress how risky dealing with the malicious application’s creators could be. After all, they might lie about having the right decryption key for your computer, or they may not go through the trouble of delivering any tools. Not to mention these hackers could want for more money after the payment is made.

All things considered, we do not think it would be smart to deal with the hackers. Files can be restored while using copies placed on cloud storage, removable media devices, and so on. Of course, before copying files from such storages, you should get rid of CryptoGod Ransomware at once. The malware could still be dangerous if the user leaves it unattended, especially when it can launch itself automatically. To eliminate the threat manually, we advise erasing its launcher, the Registry entry it created, and all other data possibly related to it. As promised, the instructions available below the article will show you how to complete these steps. Another way to erase this infection is to do a system scan with a reliable antimalware tool and press the deletion button when it appears.

Enable Registry Editor

1. Press the Windows button.
2. Insert gpedit.msc into the Windows search box and select gpedit.
3. Go to User Configuration\Administrative\Templates\System
4. Choose Prevent access to registry editing tools.
5. Select Disabled or Not Configured.
6. Click OK.

Enable Windows Task Manager

1. Tap the Windows button.
2. Insert gpedit.msc into the search box and open gpedit.
3. Find this path: User Configuration\Administrative\Templates\System\Ctrl+Alt+Del Options
4. Choose Remove Task Manager.
5. Select Disabled or Not Configured.
6. Press OK.

Enable Command Prompt

1. Press the Windows button.
2. Insert gpedit.msc into the search box and choose the suggested tool.
3. Look for this path: User Configuration\Administrative\Templates\System
4. Select Prevent access to the command prompt.
5. Choose Disabled or Not Configured.
6. Click OK to finish.

Eliminate CryptoGod Ransomware

1. Press Ctrl+Alt+Delete.
2. Open your Task Manager.
3. Find a process called CryptoGod.exe, select it and click the End Task button.
4. Leave the Task Manager.
5. Tap Win+E.
6. Find the Desktop, Temporary Files, and Downloads folders.
7. Look for a malicious file that infected the system once you opened it.
8. Right-click the file you suspect to be malicious and press Delete.
9. Go to %AppData%
10. Find a directory called MoWare_H, right-click it and press Delete.
11. Close the File Explorer.
12. Press Win+R, insert Regedit and select OK.
13. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
14. Locate a value name called CryptoGod, right-click it and select Delete.
15. Close the Registry Editor.
16. Empty the Recycle bin.
17. Reboot the system.