How to Remove CryptoLuck Ransomware

I wrote this article to help you remove CryptoLuck Ransomware. This CryptoLuck Ransomware removal guide works for all Windows versions.

CryptoLuck ransomware is believed to be a revival of a defunct encryption virus called CryptoLocker. The win-locker encrypts most files, stored on the hard drive, and demands a certain payment to have them decrypted. The rogue program targets different file types, including documents, videos, audios, databases, archives, compressed folders, images and system components. You will be unable to access your rightfully owned data.

CryptoLuck ransomware utilizes a combination of AES-256 and RSA-2048 algorithms to conduct the encryption. Upon completing the process, CryptoLuck ransomware drops a ransom note on the user’s desktop. The file is titled @WARNING_FILES_ARE_ENCRYPTED.[ID number].txt. It is opened on system launch. A copy of the note is dropped in every folder which contains encrypted data. The ID is included in the custom extension CryptoLuck ransomware appends to the names of the infected files. The suffix is created using the formula .[ID number]_luck.

The developers of CryptoLuck ransomware have created a special Decryptor Wizard which is used to restore the encrypted data. The tool requires a code to be executed. The ransom the hackers demand is for the code. The amount users have to pay is 2.1 bitcoins. This converts to $1530.14 USD, according to the current exchange rate. The payment has to be made within 72 hours. This is how long the cyber criminals store the key on their command and control (C&C) server. The key is deleted automatically per schedule. The win-locker shows a countdown clock which measures how much time victims have left to complete the transaction. The bitcoin cryptocurrency is selected as the means of payment for a reason. This method allows the cyber thieves behind CryptoLuck ransomware to protect their identity. Transactions, conducted through bitcoin platforms, cannot be traced.

Remove CryptoLuck Ransomware
The CryptoLuck Ransomware

For further questions and elaborations, victims can contact the proprietors of CryptoLuck ransomware per email. Their address is yafunn@yahoo.com. There is no point in writing to the hackers. They will only repeat the statement from the ransom note and try to convince you that paying them is the only solution to your problem. Our advice is not to pay the ransom. This would be a risky move. Since the people behind CryptoLuck ransomware are criminals, there is no guarantee that they would complete their end of the deal. Even if they do, they could leave data on your system and install the win-locker again at a later point.

CryptoLuck ransomware deploys a couple of dark patterns to get distributed. The first method is spam emails. When using this technique, the win-locker is passed on through a mediator. The email contains the RIG-E (Empire) exploit kit. When transmitted to the computer, the EK prompts the download and install of the virus. The bogus message will be presented as a legitimate notification from an existing company or entity. The sender can misrepresent the national post, an e-commence platform, a courier firm, a social network, a financial institution, a government branch or the police department. Opening the attachment is all it takes to have the malicious software transferred to your system. We advise you to proof the reliability of your in-box messages. Check the sender’s contacts.

The other propagation vector for CryptoLuck ransomware are fake updates. The sinister program gets transferred from a .rar archive. The host archive is in .sfx format. It contains three files, called crp.cfg, GoogleUpdate.exe and goopdate.dll. There are instructions inside, explaining that the contents would be extracted into the folder %AppData%\76ff. The process GoogleUpdate.exe would be executed on the background. A lot of malware programs use bogus updates to gain entry into computers. You need to make sure an update is genuine before accepting it. To proof a system request, consult your Update Center. It contains all operational notifications. To check if a custom program has an update available, launch it. The application should display the same message within seconds.

CryptoLuck Ransomware Uninstall

Method 1: Restore your encrypted files using ShadowExplorer
Usually, CryptoLuck Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since CryptoLuck Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.