Learn up-to-date facts about the immensely aggressive CTB Locker ransomware virus and use step-by-step instructions to restore the personal files it encrypted.
While a hardened criminal taking someone hostage is a real-world terror scenario, the activity of the program called CTB Locker is the cyber counterpart thereof. This malicious software has been developed to extort money from people in exchange for the private files it encrypted. This sort of black hat misdemeanor has been going commercial as the respective kit is now sold online for several thousand dollars on hacking forums and similar shady places on the web. In other words, pretty much anyone who has the right sum of money and some distribution resources can get this ransomware up and running to their benefit. The leveraged principles and patterns are not new as there existed similar viruses (CryptoLocker and CryptoWall), but as per investigatory research CTB Locker turns out to be a lot more powerful and technically sophisticated, plus it was most likely designed by a different cyber gang.
The fraudsters in charge are using exploit kits to deliver the payload to computers, so the contamination is due to outdated software’s vulnerabilities most of the time. As imperceptible as it is, this process gives the ransomware a time advantage before it gets noticed. This span is used for scanning all drives on the computer for the prevalent types of files and encrypting them with elliptic curve cryptography, a very strong algorithm that makes further cracking attempts virtually ineffective. The encrypted chunks of personal information get new extensions, and the original files are erased. It then comes up with a message titled “Your personal files are encrypted by CTB-Locker”, which replaces the victim’s original wallpaper.
According to the alert, the user’s documents, images and other potentially important files have been encrypted, with the decryption key being unique for this PC. The message goes on to say:
“Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.”
In other words, CTB Locker wants to you pay a sum that equals 0.2 Bitcoin (around 50 USD) before the decryption can commence. The amount may vary, though. In the event the ransom isn’t paid within 96 hours, the data will be irreversibly lost because the private key is going to be no longer available.
For the user to believe that the data isn’t gone, the ransomware offers the feature of restoring up to 5 randomly chosen files. Also, the program has a built-in currency exchange service where you can buy Bitcoins if you have none. An interesting trait of CTB Locker is the fact it communicates with the C&C server through Tor, which makes the connections anonymous. That’s apparently how the bad guys are trying to evade the law enforcement trap. So the victim needs to install Tor Browser Bundle before the payment transactions can even commence.
The bad part about this whole story is you cannot be sure you’ll get your files back intact, unless of course you pay the ransom. There is no tool that can handle the crypto as strong as that for the time being. The good news is there are workarounds that can help you out in recovering the deleted original information or the latest saved versions of your files. So do not hurry with submitting the ransom. Be sure to try the methods described below first.
CTB Locker virus automatic removal
It’s an odd thing but the CTB Locker program itself is not too persistent as far as removal is concerned. Reliable security software does the cleanup job, but be advised this is in no way related to restoring the encrypted data, which is an issue to be touched upon in the next part of this article. So, before you proceed with file restoration, it’s recommended to get rid of the ransomware proper so that it won’t cause you further trouble.
- Download and install the featured security tool and launch an in-depth malware checkup by clicking Start Computer Scan buttonDownload CTB Locker remover
- When the software returns a list of malicious and potentially unsafe items found on the PC, select Fix Threats in order to have the CTB Locker infection uninstalled from your machine. An additional virtue of this process is the elimination of other threats that may be active in the background.
Ways to retrieve personal files encrypted by CTB Locker
Method 1: Backups
Despite the fact that the share of users who regularly back up their data to the cloud or external storage is negligible, they are immune to malware attacks like this. So, if you are lucky enough to be one of these people, use backups to recover your personal information. Before doing so, make sure CTB Locker has been removed from the system (see section above).
Method 2: Data recovery software
According to the recent research, this ransomware encrypts copies of files it detected on a computer. The original documents, photos etc. get erased. This is where you can benefit from file recovery tools which are designed specifically to find and restore objects that were previously removed from a PC. Even though CTB Locker deletes the original files with a number of overwrite passes, utilities like ParetoLogic Data Recovery Pro might address this problem.
Method 3: Shadow Volume Copies
There is a feature that Microsoft Windows is shipped with – it’s called Shadow Volume Copies. It means that all files on the computer are automatically subject to copying and storing. Be advised this only applies to the cases where the System Restore feature is turned on; luckily, that’s not a rare scenario. While the newest build of CTB Locker has some built-in countermeasures for recovering Shadow Volume Copies in the regular way, it’s strongly advised to give this method a try. It can be done manually or through the aid of a dedicated automatic tool.
- Recover previous versions of files
Previous versions are copies of files and folders that are automatically saved by the operating system when a restore point is created. Hopefully changes to your most critical files were made before the latest system restore point – in this case the information in them is going to be accurate for your needs. So do not fail to try this workaround. What you need to do is right-click on a file or folder of interest, select Properties and hit the Previous Versions tab. Then click Restore if you want to file recovered to its previous location, or hit Copy to restore it to a new place.
- Use the Shadow Explorer utility
Restoring files and folders can as well be performed automatically. For this purpose, tools like Shadow Explorer can be used. It provides you with all necessary controls and options to restore Shadow Volume Copies within one interface. Just right-click on the file or folder whose copies are to be restored, select Export, and follow the prompts.
Complete the CTB Locker virus removal process
Given the possible tenacity of this ransomware, it’s recommended to repeatedly check the machine for its components after the cleanup procedure has been performed. Now that you have hopefully managed to recover your most important personal files, rescan your system with trusted security suite to make sure CTB Locker extermination has been successful.