Decrypt Cryptolocker Encrypted Files and Remove Cryptolocker Ransomware

0
1117

What CryptoLocker is and What it Does

This is a ransomeware trojan that targets Microsoft Windows transmitted commonly via e-mail attachments and botnets (malicious or criminal networks). It’s thought to have first been launched in September 2013 and the work of Russian hacker Evgeniy Bogachev, the mastermind behind the Gameover Zeus hackers and their infamous Zbot (he is now wanted by the F.B.I in connection to various cybercrime). There was a large operation against those behind this malware in 2014, though the threat is still infecting systems, along with variants such as Cryptowall 3.0. Eliminate CryptoLocker or anything you may suspect is a version as soon as possible.

When this malicious payload is first run, it installs itself in the User Profile folder and enables itself to run on start-up. The next step is that it contacts a control server and gets a code key delivered to encrypt the system’s files. CryptoLocker then encodes your files making them unusable and demands a price for the key to decrypt them (hence the name ransomware). The victim is given a deadline and if this is not met, the price rises. In certain cases, paying the ransom did not result in decryption. It is thought that the hackers behind this have successfully extorted many millions of dollars. It is important to detect and remove CryptoLocker immediately, should you become infected.

decrypt cryptolocker

After encrypting your files, Cryptolocker will drop a DECRYPT_INSTRUCTIONS.txt text file ransom note in each folder, containing encrypted files and on the Windows desktop. The ransomware will also change your Windows desktop wallpaper to DECRYPT_INSTRUCTIONS.html.

remove cryptolocker

Both the wallpaper and the text ransom note will contain the same information on how to access the payment site and get your files back. When you go to the URLs listed in the ransom note you will be taken to a TOR site where you can learn how much your ransom is and how to make the payment.

How Does CryptoLocker Enter a Computer?

The ransomware can be contracted five ways:

  1. By visiting a malicious website – or a legitimate one that has been hacked – where software called exploit kits can be used to find and enter a computer through operating system vulnerabilities without the user’s knowledge;
  2. Via bundled freeware that hasn’t been examined before installation;
  3. By a fake pop-up notification that an update is ready (Java or Flash Player for example) DON’T click!!!!
  4. Encryption malware can exploit RDP (remote desktop protocol), disable this if not in use;
  5. Most commonly via spam e-mails with attachments (a variant of this trojan – Cryptowall – was using e-mails in Australia purporting to come from government departments and appearing to be faxes, invoices, receipts, etc).

How to Remove CryptoLocker

Whilst it is possible to remove the ransomware if it can be detected, the difficulty is that some A/V and anti-malware programs are not capable of recognizing the infection because of the evasion tactics of the invader, or because they are not updated with information about the latest versions or variants.

And uninstalling CryptoLocker and its extensions will not help decrypt your files. There is one positive thing going for the victim: it takes some time for the encryption process to be completed, so if the malware is detected and removed early, then the loss of data can be avoided. If you suspect you have been infected, disconnect from the internet and any networks, both wired and wireless – this holds up the process of encryption of your files. There may be a chance to retrieve some of the encrypted files from shadow files – see Windows instructions for details; or by using a program such as Shadow Explorer. An up-to-the-minute A/V software program can prevent and deal with such ransomware effectively, though if you find you have to deal with this manually, here are two options to delete CryptoLocker ( these are overviews – find full details below).

Method 1.

  1. Disconnect/disable any wired or wireless network connections
  2. Remove program in Safe Mode with Networking
  3. Reboot to Safe Mode with Networking
  4. Install genuine anti-virus program, fully update it and preform a full system scan

Method 2.

  1. Disconnect/disable any wired or wireless network connections
  2. Reboot to Safe Mode with Command Prompt
  3. Restore system files and settings

How to Decrypt Cryptolocker Encrypted Files

Method 1: Restore your files encrypted by CryptoLocker using ShadowExplorer

Usually, Cryptolocker deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files encrypted by CryptoLocker ransomware using File Recovery Software

If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Cryptolocker first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

How to Protect Yourself From Being a Ransomware Victim?

DO regularly back up files to a remote location such as an external hard drive (and keep this disconnected when not in use!). DO install a trusted, current security suite with regular updates and back-up that is capable of detecting and getting rid of CryptoLocker, and malware like it. DO remember to be careful about browsing – perhaps getting a heads-up about ‘sites from your security software as you browse. And DO practice Advanced/Custom instal.

  • DON’T open attachments from unrecognized e-mails.
  • DON’T click on update pop-ups.
  • DON’T visit ‘sites with dubious content.
SHARE
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.