Home » Cybersecurity » How to remove CryptoDefense (Virus Removal Guide)
CryptoDefense virus removal

How to remove CryptoDefense (Virus Removal Guide)

What is CryptoDefense ransomware?

The CryptoDefense virus is a dangerous malware categorized as ransomware, also known as a cryptovirus that is similar to CryptorBit and HOWDECRYPT viruses. CryptoDefense, also known as the CryptoDefense Software virus or How_Decrypt virus, targets all versions of the Microsoft Windows Operating System including Windows XP, Windows Vista, Windows 7, and Windows 8. When infected with the CryptoDefense virus, this ransomware will scan your computer and encrypt any data file it finds regardless of the file type or extension.

CryptoDefense virus removal

If you are infected the with CryptoDefense ransomware you should know that at this time there is unfortunately no method of decrypting the files encrypted by CryptoDefense Software. This virus also deletes all your Shadow Volume Copies, which means the only way to restore your files from a backup (if you even have one).

The CryptoDefense virus locks a computer system, encrypts the files on the machine, and demands a fine to de-encrypt the files and release the computer. The CryptoDefense virus will create a How_Decrypt.txt file and a How_Decrypt.gif in every Windows folder that CryptoDefense encrypts. The GIF and TXT files that download alongside the CryptoDefense virus will contain instructions to access a fraudulent payment website that pay the fake ransom. The CryptoDefense payment site is located on the Tor network and you can only make the payment in Bitcoins.

When CryptoDefense encrypts a file it does not actually encrypt the entire file, instead the CryptoDefense virus replaces the first 512 bytes of the file.

If you are infected with CryptoDefense malware do not pay the fine and do not click any links or available navigation buttons!

The message displayed on the common CryptoDefense screen is listed below:

All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; 
the server will destroy the key after a month. After that, nobody and never will be able to restore files.

In order to decrypt the files, open your personal page on the site https://rj2bocejarqnpuhm.onion.to/XXX and follow the instructions.

If https://rj2bocejarqnpuhm.onion.to/XXX is not opening, please follow the steps below:

1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: rj2bocejarqnpuhm.onion/XXX
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.


Your Personal PAGE: https://rj2bocejarqnpuhm.onion.to/XXX
Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
Your Personal CODE(if you open site directly): XXX

*Information provided by: botcrawl.com

As you can see this message is primarily used to frighten victims of this dangerous computer infection.

If you paid the fine please contact your credit card or bank institutions to dispute charges and receive further safety instructions.

How does CryptoDefense virus get onto a computer?

The CryptoDefense cryptovirus infection can be contracted via suspicious downloads including freeware, shareware, codecs, torrents, and more, and is also promoted in malicious advertisements and search results.

The CryptoDefense virus may be present in exploit kits and may gain access via trojan horses hiding on malicious websites.

   Green Arrow Bullet   How to remove CryptoDefense virus

  1. CryptoDefense removal software (Automatic removal) – Detect and remove CryptoDefense ransomware
  2. System Restore – Restore PC to date and time before the CryptoDefense malware infection
  3. For Tech Support – Call 1-888-879-0084 and they will kindly assist you with removing the CryptoDefense computer infection

1. CryptoDefense virus removal software

1. We highly recommend writing down the toll free number below in case you run into any issues or problems while following the instructions. Our techs will kindly assist you with any problems.

if you need help give us a call

2. Install the free or paid version of Malwarebytes Anti-Malware software.

Border Ten

Malwarebytes’ Anti-Malware

Malwarebytes Anti-Malware software

$24.95 USD (Lifetime) / FREE

Latest versions: Malwarebytes Anti-Malware PRO, Malwarebytes Anti-Malware Free
Release date: 2014

Purchase Malwarebytes PRO   Free Download

Border Ten

3. Once Malwarebytes is installed, open the Anti-Malware program. If you are using the free version of Malwarebytes you will be prompted to update the database, please do so.

4. On the first tab labeled “Scanner” select the Perform full scan option and click the Scan button to perform a full system scan (pictured below).

Malwarebytes Perform Full Scan

5.  Malwarebytes will automatically detect the malicious CryptoDefense files and third-party malware on your computer. Once the scan is complete, Malwarebytes will prompt a message stating malicious objects were detected. Select (check) the malicious objects in the list and click the Remove Selected button to completely remove the CryptoDefense malware from your computer (The image below shows a file that is NOT selected for removal – ‘Make sure the box is checked in’).

Malwarebytes Gadgetbox

2. System Restore

System Restore is an easy solution to restore an infected computer to a date and time before it became infected with the CryptoDefense computer virus. To learn more please select a link below:

Windows Recommended Restore And Choose A Restore Point

CryptoDefense virus removal tips:

If the CryptoDefense virus is difficult to remove there are several steps you can use to troubleshoot the removal process:

User accounts

Ransomware often infects 1 user account on Windows systems at a time. Here are some tips to remove ransomware by using different user accounts.

  • Log into an account not affected by malware (with administrative rights) and perform a scan with reputable software to detect and remove malware.
  • You can also delete the infected account.
Denying flash

Some variants of ransomware use flash and symptoms of the infection can be halted by denying flash via Macromedia’s real-time options. To learn more and deny flash please visit: http://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html

Troubleshoot internet/network issues

Safe Mode With Networking can be used to access the Internet for updates, drivers, removal software, or other files if internet and network connectivity is compromised.

Sean Doyle

Sean is a tech author and engineer with over 20 years of experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and other topics. He is featured in several publications.

More Reading

Post navigation

1 Comment

  • Hi there! On August 26, 2014 have been infected by the virus Trojan Win32 CryptoDefense / Harasom.A and despite having cleaned up my system I find myself with all the files and encrypted with the extension .ctb2. How do I restore it? I also tried restoring the configuration on another date but nothing.

    Pending thank you in advance

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to remove the CryptoLocker virus – Encryption virus removal Instructions

What is Gamma Ransomware and how do I remove it? (Free Guide)

How to remove the AntiChild Porno Spam Protection virus – Encryption virus removal