A countdown timer on a dreadful screen saying “Your personal files are encrypted by CTB-Locker” indicates the deadline beyond which the user’s personal information will become absolutely irrecoverable. This thriller-like story is an implementation of a virus attack that targets a victim’s information – all documents, videos and images become encrypted, and the ransomware extorts a Bitcoin payment for these items to be reinstated.
The ransomware industry and the evolution of computer viruses are closely interrelated concepts. In the past, the most aggressive malware breeds, such as rogue antispyware, would narrow their activity down to intimidation. Once removed, these infections could no longer affect the target PC. With the emergence of ransom trojans, things on the security arena have gotten so much worse. Programs like CTB Locker surreptitiously encrypt their prey’s data stored on the hard disk and suggest that the person go to a decryption site, make a payment and recover their private key for decoding the data. In the meanwhile, removal of this malicious software proper does not lead to the restoration of locked files.
CTB Locker applies ECC (Elliptic Curve Cryptography) to all user files that match the most popular formats. To figure out whether or not a specific chunk of data on the PC meets this criterion, the trojan scans all drive letters, including mapped ones and removable media, and juxtaposes the detected entities with a hard-coded list of extensions. Having put two and two together, the virus utilizes the above-mentioned crypto. A random-named malware process is then added to Windows startup routine, which results in a warning screen popping up at every logon to the system. Additionally, the virus creates a new file named DecryptAllFiles.txt in the Documents directory, which can be opened for instructions in case the ransom isn’t submitted within the 96-hour deadline and the program self-destructs.
The links provided on CTB Locker screen point to an online service accessible through a Tor gateway. Every infected PC is assigned a unique Bitcoin address for making the ransom payment, which is 0.2 BTC. Test recovery of up to 5 files can be completed for free, which is obviously an attempt to reassure the victim that the whole scheme does work.
It’s not a problem to get rid of CTB Locker program itself, but the task of restoring the personal information will stay on the user’s agenda. Depending on the individual circumstances of the compromise, the methods below can help get some files back without submitting the money to the bad guys.
Use automatic solution to remove CTB Locker
The issue of CTB Locker compromising a PC can be effectively resolved if you use trusted security software. Along with the obvious ease of such removal, other benefits include thoroughness of virus detection and elimination from all system locations it might have affected. Be advised, however, that removing the ransomware and recovering the hijacked files are two different things. So please follow these steps just for a start:
1. Download and install CTB Locker removal tool. Run the application and select Start Computer Scan option in order to have your computer checked for adware, viruses, Trojans, and other malicious objects.
2. When the scan is complete, it will return a list with results on what infections have been found. Go ahead and click Fix Threats to completely get rid of the detected items. The virus should now be gone from your PC.
Recover files encrypted by CTB Locker
The bitter truth about this ransomware assault is that there doesn’t exist a tool that can automatically decrypt your personal files, except perhaps the service endorsed by the virus publishers who spread this infection in the first place and have the right private key at their disposal. Asymmetric crypto algorithms are too strong to crack or brute-force, therefore users can only leverage alternate workarounds.
1. File recovery software
Some variants of ransom trojans create copies of their victims’ files, encrypt them and delete the original data. In this case, forensic utilities like Data Recovery Pro can restore the information. Download and install the program, launch it and select the scan option (Quick, Full, or Guided). Click Start Scan button, wait for the results and see what can be recovered.
2. Shadow Explorer
This method presupposes restoring the so-called “Shadow Copies” of locked files through the use of an app called Shadow Explorer. While this routine can be performed manually, the above-mentioned software automates the process all the way. Just download and install Shadow Explorer, run it, select the drive letter and date, and get down to recovery. Pick the folder or file of interest, right-click on it, select Export and follow further prompts. Note this option only works with System Restore enabled on the PC.
3. Previous Versions feature
The automatic option above has a manual counterpart, where you needn’t go any further than Windows itself. As long as System Restore has been active on the machine, users can right-click on a random file, select Properties, hit the tab that says Previous Versions, and click Copy or Restore, depending on the location that the file will be reinstated to. This is a slow-moving approach because you have to go through the above steps for every file, therefore using Shadow Explorer is a much more user-friendly experience.
This option is self-explanatory. In the event you have been backing up your information to external media or cloud resources, the damage from CTB Locker attack will be minimal. Note that it’s a must to completely eradicate the ransomware
before downloading your intact files from the secure storage.
Make sure CTB Locker virus has vanished
When it comes to persistent threats, double-checking never hurts. Therefore it’s highly recommended to complete the remediation process with a final scan that will once again look for any potential bits and pieces of the infection.