So your files now have a fancy “.crone” extension and you’re staring at a ransom note. Welcome to the Crone virus club – it’s not a club anyone wants to join. This delightful piece of ransomware comes from the Babuk family and has one job: lock up your stuff and make you pay to get it back.
Crone Virus: The Basic Breakdown
☝️ Think of it as a digital locksmith that changes all your keys and charges you for new ones.
Crone adds the “.crone” extension to every file it encrypts. Your “vacation_photos.jpg” becomes “vacation_photos.jpg.crone” and your “tax_returns.pdf” becomes “tax_returns.pdf.crone” – creative naming isn’t its strong suit.
The criminals leave a calling card named “How To Restore Your Files.txt” in every folder with encrypted files. Inside is their sales pitch: pay 0.006 Bitcoin (about $570) to an address, email babuckransom@tutanota.com with proof, and supposedly they’ll send you the key. Spoiler alert: paying criminals isn’t exactly a money-back guarantee situation.
Crone’s Vital Stats:
| Name | Crone Virus |
| Ransomware family[efn_note]My files are encrypted by ransomware, what should I do now?[/efn_note] | Babuk ransomware |
| Extension | .crone |
| Ransomware note | How To Restore Your Files.txt |
| Ransom | 0,006 BTC ($570 USD) |
| Contact | babuckransom@tutanota.com |
| Detection | Trojan:Win32/Tnega!MSR Removal, Win32:Adware-DNA [Adw] Virus Removal, Win32:Secat [Trj] Virus Removal |
| Symptoms | Your files (photos, videos, documents) have a .crone extension and you can’t open them. |
| Fix Tool | See If Your System Has Been Affected by Crone virus |
The ransom note is available in both English and Russian, because international customer service matters in cybercrime. Here’s what their “business proposal” looks like:
--------------- Hello --------------- !!!IMPORTANT !!! ################################### # you Decryptor ID is : - # ################################### Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0,006 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us a message with your Decryptor ID and transaction ID at babuckransom@tutanota.com 3) Launch decryptor.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Here’s what your files look like after Crone redecorates them – notice the fancy “.crone” extension added to everything:
Look at all those locked files – it’s like digital jail.
How Did This Digital Disaster Land on Your Computer?
Turns out there’s more than one way to catch digital ransomware.
Ransomware like Crone doesn’t just materialize out of thin air – someone has to invite it in (unknowingly, of course). The most common entry points are spam emails with infected attachments, Trojan horses disguised as legitimate downloads, and sketchy torrent files.
Those “urgent” emails from FedEx about a missed delivery or important messages from your “bank” are classic ransomware delivery vehicles. The attachment might look innocent, but it’s packing a nasty surprise – kind of like a digital glitter bomb, except instead of glitter it’s file-encrypting malware.
Trojan infections happen when you download what seems like a legitimate program or update. You think you’re getting Adobe Acrobat, but surprise – it’s actually ransomware with a convincing disguise. Meanwhile, torrent sites are basically the Wild West of file sharing – that “free” copy of Photoshop might cost you every file on your computer.
Getting Rid of Crone (And Its Friends)
Did I mention Crone often brings a friend to the party? The Vidar Stealer typically tags along to steal your passwords and crypto wallet info while you’re distracted by the ransomware. It’s like having your house robbed while you’re dealing with a flood – cybercriminals are nothing if not efficient.
Remove Crone with Gridinsoft Anti-Malware
We have also been using this software on our systems ever since, and it has always been successful in detecting viruses. It has blocked the most common Ransomware as shown from our tests with the software, and we assure you that it can remove Crone as well as other malware hiding on your computer.
To use Gridinsoft for remove malicious threats, follow the steps below:
1. Begin by downloading Gridinsoft Anti-Malware, accessible via the blue button below or directly from the official website gridinsoft.com.
2.Once the Gridinsoft setup file (setup-gridinsoft-fix.exe) is downloaded, execute it by clicking on the file.
3.Follow the installation setup wizard's instructions diligently.
4. Access the "Scan Tab" on the application's start screen and launch a comprehensive "Full Scan" to examine your entire computer. This inclusive scan encompasses the memory, startup items, the registry, services, drivers, and all files, ensuring that it detects malware hidden in all possible locations.
Be patient, as the scan duration depends on the number of files and your computer's hardware capabilities. Use this time to relax or attend to other tasks.
5. Upon completion, Anti-Malware will present a detailed report containing all the detected malicious items and threats on your PC.
6. Select all the identified items from the report and confidently click the "Clean Now" button. This action will safely remove the malicious files from your computer, transferring them to the secure quarantine zone of the anti-malware program to prevent any further harmful actions.
8. If prompted, restart your computer to finalize the full system scan procedure. This step is crucial to ensure thorough removal of any remaining threats. After the restart, Gridinsoft Anti-Malware will open and display a message confirming the completion of the scan.
Remember Gridinsoft offers a 6-day free trial. This means you can take advantage of the trial period at no cost to experience the full benefits of the software and prevent any future malware infections on your system. Embrace this opportunity to fortify your computer's security without any financial commitment.
Trojan Killer for “Crone” removal on locked PC
In situations where it becomes impossible to download antivirus applications directly onto the infected computer due to malware blocking access to websites, an alternative solution is to utilize the Trojan Killer application.
There is a really little number of security tools that are able to be set up on the USB drives, and antiviruses that can do so in most cases require to obtain quite an expensive license. For this instance, I can recommend you to use another solution of GridinSoft - Trojan Killer Portable. It has a 14-days cost-free trial mode that offers the entire features of the paid version. This term will definitely be 100% enough to wipe malware out.
Trojan Killer is a valuable tool in your cybersecurity arsenal, helping you to effectively remove malware from infected computers. Now, we will walk you through the process of using Trojan Killer from a USB flash drive to scan and remove malware on an infected PC. Remember, always obtain permission to scan and remove malware from a computer that you do not own.
Step 1: Download & Install Trojan Killer on a Clean Computer:
1. Go to the official GridinSoft website (gridinsoft.com) and download Trojan Killer to a computer that is not infected.
2. Insert a USB flash drive into this computer.
3. Install Trojan Killer to the "removable drive" following the on-screen instructions.
4. Once the installation is complete, launch Trojan Killer.
Step 2: Update Signature Databases:
5. After launching Trojan Killer, ensure that your computer is connected to the Internet.
6. Click "Update" icon to download the latest signature databases, which will ensure the tool can detect the most recent threats.
Step 3: Scan the Infected PC:
7. Safely eject the USB flash drive from the clean computer.
8. Boot the infected computer to the Safe Mode.
9. Insert the USB flash drive.
10. Run tk.exe
11. Once the program is open, click on "Full Scan" to begin the malware scanning process.
Step 4: Remove Found Threats:
12. After the scan is complete, Trojan Killer will display a list of detected threats.
13. Click on "Cure PC!" to remove the identified malware from the infected PC.
14. Follow any additional on-screen prompts to complete the removal process.
Step 5: Restart Your Computer:
15. Once the threats are removed, click on "Restart PC" to reboot your computer.
16. Remove the USB flash drive from the infected computer.
Congratulations on effectively removing Crone and the concealed threats from your computer! You can now have peace of mind, knowing that they won't resurface again. Thanks to Gridinsoft's capabilities and commitment to cybersecurity, your system is now protected.
Sometimes the criminals will decrypt a couple of files as “proof” they can restore your data. It’s like a drug dealer giving away the first sample – they want you hooked on the possibility of getting your files back. Since Crone is relatively new, antivirus companies haven’t created a free decryption tool yet, though they’re probably working on it.
Paying the ransom is a gamble with bad odds. After getting your Bitcoin, the criminals might send the wrong decryption key, a non-working decryptor, or nothing at all. Remember, you’re dealing with people who literally make a living by stealing and extortion – not exactly the trustworthy types.
Your best defense against ransomware is a good backup that isn’t connected to your computer. Cloud storage, external drives you only plug in for backups, or even good old-fashioned printed copies of critical documents are all better than paying criminals. After removing the ransomware, scan everything with an antivirus – these things often leave backdoors.
Crone has plenty of relatives in the ransomware family – Gunra, Hudson, and Petyax all work in similar ways. They encrypt files, change extensions, and leave ransom notes demanding payment. The main differences are usually just the amount they demand and their encryption method – like how all fast-food chains sell burgers but have different recipes for the special sauce.
In rare cases, victims get lucky when ransomware authors make mistakes in their code. Sometimes they accidentally include the decryption key in the ransom note or use weak encryption that security experts can break. Don’t count on this happening though – it’s about as likely as winning the lottery while being struck by lightning.
How to Keep Ransomware Off Your Computer
Crone isn’t magical – it needs your help (even if unintentional) to infect your system.
Protect yourself with these basic security habits:
- Be suspicious of emails from strangers, especially ones with attachments or links. That email telling you you’ve won a contest you never entered? It’s a trap. Even if the email seems to be from someone you know, check carefully – criminals often fake email addresses.
- Avoid pirated software and “cracked” programs. That “free” Photoshop might seem like a good deal until it encrypts your entire digital life. The crack or keygen is often just malware in disguise – like a digital Trojan horse, except instead of Greek soldiers it’s filled with ransomware.
- Use reliable security software that updates regularly. Programs like GridinSoft Anti-Malware can spot ransomware before it locks up your files – which is a lot better than dealing with the aftermath. Think of it as a digital immune system.
FAQ About Crone Ransomware
🤔 Can I open “.crone” files somehow?
Not unless you decrypt them first. That’s the whole point of ransomware – lock your stuff up tight so you can’t access it without their key. It’s like changing all your door locks and then selling you the new keys.
🤔 I need those files ASAP. How can I decrypt them quickly?
If you have backups, that’s your fastest option. If you enabled System Restore previously, you might recover older versions of some files. Without those safeguards, you’re looking at either paying the ransom (risky) or using file recovery software that might salvage some data – neither is guaranteed or quick.
🤔 Will anti-malware delete my encrypted files when removing Crone?
No, anti-malware programs only target the ransomware itself, not your encrypted files. The encrypted files aren’t dangerous – they’re victims too. The bigger concern is that ransomware often installs backdoors and keyloggers to steal your passwords, so even after removing Crone, you should change all your important passwords.
🤔 Crone has locked up my whole computer. What now?
Boot into Safe Mode with a flash drive containing Trojan Killer Portable. Safe Mode prevents the ransomware from automatically launching and encrypting new files. Check out our guide on running Windows in Safe Mode if you need help with this process.
🤔 Is there any way to recover files without paying?
Your data might exist elsewhere if you’re lucky. Check your email for files you’ve sent or received, ask friends if you’ve shared anything with them, redownload files from original sources, check social media and cloud storage, or dig through old devices. Think of any place you might have digital duplicates hanging around.
USEFUL TIP: Data recovery software might salvage some files since ransomware typically creates encrypted copies and deletes originals. Tools like PhotoRec can sometimes rescue deleted files, but you need to remove the ransomware first or it’ll just encrypt any recovered files again – like trying to bail water from a boat before plugging the leak.
