This page is crafted to help CTB Locker affected users. One can restore all his encrypted files by following the guide below.
This is another ransomware trojan that targets Microsoft Windows transmitted most commonly via e-mail attachments and hacking networking (botnets) and is a variant of Critroni.A. It was first released in July, 2014 and it targets all versions of Windows. It is vital to prevent infection, and to delete CTB Locker immediately to prevent data loss and the other possible hacking risks it presents. Although in the media, CBT Locker is often associated with CryptoLocker and its variants, this ransomwear uses new encryption techniques (eliptical curve cryptology – hence ‘curve’) and anonymous communication with the victim and its control server using the TOR (The ‘Dark’ Web). It is believed by experts to be the creation of a new group of hackers. Though the effect of infection is the same – pay up or loose your data.
The basic concept of ransomware trojans is that they enter your system and encrypt your files. To decrypt this data is virtually impossible unless you have either an Enigma code-breaker – or the key. After the trojan has put down roots in your system, it communicates with its Command and Control server – via TOR – and receives a unique encryption to code your files. The key is kept on the server and only available after a ransom in Bitcoin has been paid. If the ransom is not paid within 96 hours or the key to your files will be deleted. CTB Locker differs from Critroni.A in that when encryption is complete, it will display a page that will decipher five of the files as you watch, then give you instructions on how to pay. When you exit this screen, the countdown begins. The destroying of the key after the period is a scare tactic – you will then be offered the chance to pay (a higher price) though will have to do this through their TOR website. Guard against CTB Locker and save yourself the theater.
How infection by CTB Locker occurs
Infection is caused in a number of ways, the most commonly reported is by spam e-mails with attachments. As used with some other ransomwear, these may appear to be from official sources such as a government Tax Office. Another widespread insertion method is bundling with legitimate freeware downloads. Fake pop-ups offering updates for programs such as Flash Player or Java also offer entry to infection if clicked on. Visiting dubious or illegal websites (even for research!) can give the hackers opportunity to use exploitation tools (these scan and target vulnerabilities in Windows as you browse) and you could be infected during your browsing without any warning. A less common though credible threat comes from access via RDP (Remote Desktop Protocol) – this should be disabled if not used and adequately protected. Preventing CTB Locker from entering your system is basic good practice. Uninstalling CTB Locker is a task.
What I can do if infected by CTB Locker?
If you find the malware on your system the the more you use it the further the encryption process proceeds. Immediately disconnect from networks and the internet. Then follow the instructions below for removing CTB Locker. If it is detected before encryption is completed, some data may be saved. After removal, it is worth checking to see if it’s possible to restore data from back-up files (regular back-ups should be carried out for such eventualities). There are recovery programs that can be tried, like R-Studio and Photorec. There is also a chance of recovering data in Shadow Volume files using a program like Shadow Explorer – the malware attempts to delete shadow files, though often fails to do so.
How to Decrypt CTB Locker Encrypted Files
Method 1: Restore your files encrypted by CTB Locker using ShadowExplorer
Usually, CTB Locker deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your CTB Locker encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files encrypted by CTB Locker ransomware using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since CTB Locker first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:
Prevention against CTB Locker
- Install an advanced anti-virus/anti-malware program with the most regular updates;
- Practice safe browsing and use Advance/Custom download options;
- Avoid opening suspicious files/e-mails/pop-ups;
- Secure or disable RDP;
- Secure networks for access only to Authenticated Users;
- It is possible to to create Software Restriction Policies that block executable files from running when they are located in specific paths – this is an advanced step and reference should made to the Microsoft website for details.
The CBT Locker program also differs from others in that it has been discovered as part of a malicious bundle offered for sale on the internet (for $3 000 U.S ) complete with ‘customer service’ for help with running. For this reason, there are sure to be variants appearing very soon and cutting-edge system security is becoming even more vital. Remember – prevention is easier than cure, or having to remove CTB Locker and loosing data/cash and time. Tighten-up your security now!