How to Remove CTB-Locker Virus and Restore Encrypted Files

CTB-Locker is a Trojan-ransom (ransomware) infection that scans your computer for data files and encrypts them so they are not accessible and repairable without the unique encryption key. In order to get the key and decrypt your files you need to send a ransom of $100 or sometimes even more. The ransomware renames files and adds a unique file extension, for example .KUEDIDG, at the end of each encrypted file. CTB-Locker uses very strong encryption algorithms to encrypt files making brute force attacks unrealistic unless you have a super computer. It has a timer that gives you 96 hours (4 days) to pay the ransom. It's unclear what happens when the timer runs out. Cyber criminals say that they will destroy your unique decryption key if you won't pay on time but I don't know if it's true or just a scare tactic. Another improvement is different language localizations for this ransomware. CTB-Locker decryption instructions are now available in German, Dutch, and Italian. Cyber crooks will probably add more languages if this campaign succeeds. All sings indicate that it's a wide-spread malware infection because anyone who buys a certain exploit kit gets the CTB-Locker module and support for a certain amount of time. In other words, you can expect to see multiple attacks performed by different people that's why this ransomware is so dangerous. Those who crated this ransomware can even help you to install and run it. 

Once installed, this ransowmare will scan your computer for data files and then encrypt them silently in the background. You won't notice anything unless maybe an increase of CPU usage. Then it will create a file called DecryptAllFiles.txt in Documents folder and display "Your personal files are encrypted by CTB-Locker" message with instructions on how to get your files back. The message reads:

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker. Otherwise, it's seems that you or your antivirus deleted the locker program.

Now you have the last chance to decrypt your files.

Open http://[edited].onion.cab or http://[edited].tor2web.org in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from http://torproject.org

2. In the Tor Browser open the http://[edited].onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX

Follow the instructions on the server.

So, what you basically have to do is install a Tor browser or use a Tor to Web gateway to open a web page with payment information. Then you need to copy and paste public keys that were given to you and pay the ransom. If everything goes well, you will receive your decryption key. At least, this is what cyber criminals say. I personally wouldn't trust them and pay the ransom unless encrypted files are extremely important to me. You can't really know if they will get the decryption key. Think of paying the ransom as your last option. 

If you, like most of us these days, spend any amount of time on the Internet then you really need to make it your business to know what threats there are to your online safety – and what precautions you should be taking to protect yourself. These days, being infected by a virus doesn't just mean your computer keeps crashing; it can be far more serious than that. Bank fraud, data corruption and even identity theft can have long lasting ramifications and cause untold stress and misery. 

Put simply, you need to be aware of the dangers of malware like CTB-Locker. But that can be easier said than done when there are so many different types of malicious software to contend with. Do you know your spyware from your adware or your rogue security software from your Trojan Horses? Let’s take a closer look at the latter and find out how you can safeguard your data, your identity – and your sanity.

CTB-Locker is a particularly unpleasant type of malware which employs extremely devious tactics in order to install itself on your computer. In fact, you play an important part in that process because CTB-Locker disguises itself as entertaining, interesting or useful programs to convince you that you really have to download them, like, right now! More often than not, it will be in the format of a file attachment in an email or on an instant messenger app. This attachment (or link) will look harmless enough, enticing even, but once you've clicked and opened it, you're setting the wheels in motion for an ensuing technology nightmare. 

CTB-Locker has some very destructive character traits. Character traits such as corrupting your data, deleting your files, and logging your keystrokes with an aim to steal personal information such as passwords and bank account details. Some variants of this ransomware even install more malware on your computer and turn it into something called a 'zombie' which basically means that your PC is now under the control of the malware's programmer. And if it sounds like something out of a horror movie – you wouldn't be far wrong, as anyone who's experienced the stress of being infected by a Trojan-ransom can testify.

The moral of the story? Don't be too trusting. Be very careful what attachments you open, and NEVER open files or click links in emails or messages from unknown senders. 

If you have any questions, please leave a comment down below. Good luck and be safe online! 

Written by Michael Kaur, http://deletemalware.blogspot.com

Step 1: Removing CTB-Locker and related malware:

Before restoring your files from shadow copies, make sure CTB-Locker is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware. 

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by CTB-Locker virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

 

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

 

Hopefully, this will help you to restore all encrypted files or at least some of them.