.CODERCRYPT File Extension

In December 2020, cybercriminals uploaded fake beta version of the Cyberpunk 2077 game for Android and distributed it from the "cyberpunk2077mobiledotcom" website. The criminals listed the app as Cyberpunk 2077 Mobile (BETA) and designed the website to appear similar to the Google Play store.

The site was not affiliated with Google or the actual developers of Cyberpunk 2077, but many unsuspecting users did not notice and downloaded the app to their Android devices. Once they granted the fake app permission to access their files and completed the installation, the ransomware stored within the app ran, encrypting their files and appending them with the .coderCrypt extension.

How did CoderWare ransomware encrypt my files?

When CoderWare ransomware, also known as Cyberpunk 2077 mobile ransomware, runs, it infects your Android device and encrypts your files with the RC4 encryption algorithm. After encrypting the files, the ransomware appends the .coderCrypt extension to their filenames. For example, an example.png file becomes example.png.coderCrypt.

After encrypting your files, the ransomware displays a README.txt message detailing the hostile takeover and includes instructions for how you can access your files via payment. FileInfo recommends you never pay a ransom to decrypt your files.

You may be able to decrypt and open files encrypted by the Android version of CoderWare ransomware. The files are encrypted with the RC4 symmetric encryption algorithm, which means you can use the same key to decrypt your files as the key used to encrypt your files.

You can find the key embedded into the source code of the fake mobile app that distributed the malware. Once you retrieve the key, you can use an RC4 decryption tool to decrypt your files. You can also contact an antivirus company, like Kaspersky or Malwarebytes for support.

NOTE: Back up your encrypted files if any data corruption occurs during the decryption process.