This page is aimed to help Crypt0L0cker victims to decrypt Crypt0L0cker files. These instructions also contain a paragraph on how to remove Crypt0L0cker virus.
The ransomwear Crypt0L0cker (also known as Cryptolocker2, though it’s thought to be a variant of TorrentLocker) is a trojan that infects a system then encrypts files (so it’s sometimes described as cryptoware). It then demands a ransom be paid in return for the decryption key. It is so important that you eliminate Crypt0L0cker if it gets in. First it enters the user’s system in one of several ways (see below) then connects to a control and command point (which has been traced to a Russian server). After gaining a unique, unbreakable one-time code from its control, it goes about encoding all files on the system making them useless without the key that is stored at the control and command server. In this case, the system is strengthened by a network of supporting machines all over Europe. The victim is given a certain amount of time to pay (via a TOR – ‘Dark Web’ page) for the key to retrieve the files. Launched in 2014, it has been seen only to target machines only in Europe, Asia ans Australia so far, and has some geographic restriction that stops its installation on U.S machines. If encountered, delete Crypt0L0cker straight away.
How Crypt0L0cker can enter a system
Like many other generic ransom-trojans, this one is delivered several ways, the most commonly reported is by spam e-mails with attachments – these being purportedly from offices of government institutions or organizations. In Denmark where there have been many infections, a successful Post-Office scam was used: the user receives an e-mail apparently from a local post-office regarding a parcel that was undelivered and if the link provided is clicked-on, they can arrange a delivery time for you. On clicking the link, redirection to a website occurs where a trojan is dropped into the system – able to initiate Crypt0L0cker, or to sit and relay any information on files back to the hacker. Other methods are: widespread insertion by bundling with legitimate freeware downloads; fake pop-ups for updates of programs such as Flash Player or Java or Adobe Reader; the visiting of questionable or illegal websites that can give the hackers opportunity to use exploitation tools (these scan and target vulnerabilities in your Windows system while you browse and will infect during the visit without any warning). A less common though credible threat comes from access via RDP (Remote Desktop Protocol) – this should be disabled if not used and adequately protected. Preventing Crypt0L0cker from entering your system is a matter of good operating practice – uninstalling Crypt0L0cker is an ordeal.
What to do if infected with Crypt0L0cker
If you manage to detect, or you suspect that Crypt0L0cker is in your system, first disconnect from the internet totally, and any shared network connections. Then back up all personal files on an external drive or USB Flash. Detecting Crypt0L0cker without good, real-time security software is difficult, though there are some visible clues: your system will run slower due to the the malware operating in the background. From time to time, the processes and screen will freeze for a moment. There will an increase of pop-ups and unsolicited adverts as the program spreads. Catching the infection early enough, before the virus ‘calls home’, and before encryption is complete can save you data loss – for this you really need an early warning system that is also capable of cleaning up the system if it should become infected. Manually removing Crypt0L0cker is possible in Safe Mode with Networking (see below), though recovery of data is not so easy. After removal, check to see if you can restore any lost data using Windows back-up file options. Recovery programs like R-Studio and Photorec can automatically search for copies of lost files. The other option is to use software like Shadow Explorer to recover shadow volume files that may have survived the attack. Remember that each time you start-up the system, the virus will activate and progress, so a decision should be made and acted on promptly.
How to Decrypt Crypt0L0cker Files
Method 1: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 2: Restore your files encrypted by Crypt0L0cker using ShadowExplorer
Usually, Crypt0L0cker deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 3: Restore your files encrypted by Crypt0L0cker ransomware using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Crypt0L0cker first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:
How to prevent Crypt0L0cker
- Install efficient, advanced anti-virus/anti-malware program with the most regular updates;
- Practice safe browsing – adjust security settings on your particular browser to the highest levels that should warn about harmful ‘site content;
- Always use Advance/Custom download options and where possible go to official company ‘sites for freeware;
- Avoid opening suspicious files/e-mails/pop-ups;
- Secure or disable RDP;
- Secure networks for access only to Authenticated Users;
- Look into Window’s Software Restriction Policies that block executable files from running when they are located in specific paths – check the Microsoft website for details.
Prevention is better than cure, as the saying goes. Guard against such threats by adding additional layers of security to your system, and using good operating methods. AND always back-up files and folders either in the cloud or on an external drive. Do not let Crypt0L0cker lock you out of your files!