You must have heard of a type of terrible malware called ransomware. With ransomware becoming more and more rampant, more and more individuals, businesses, and governmental agencies are struck by this badware and end up handing over money to unlock their computers or unencrypt precious files. Recent notorious ransomware families include CryptoWall, TeslaCrypt and Locky. All of them encrypt personal files on users’ hard drives and require them to pay a ransom to get their files encrypted. Just because of this, they are also called “Crypto ransomware”. Here we will tallk about another type of Crypto ransomware which is called CTB Locker.
Similar to other types of Crypto ransomware, CTB Locker uses encryption techniques to encrypt users’ personal data and demands a ransom paid in Bitcoin in exchange for the decryption key. Cyber hackers spread the ransomware using a variety of methods. The most prevalent method is via spam emails containing a fake invoice compressed in a “.zip” or “.cab” archive file. If the user opens the attachment, a .scr file will be extracted from the .zip file that is Dalexis. Dalexis is a malware downloader that drops a CAB archive, extracts an .RTF document from it, and opens the malicious document on the desktop. Here is how the document looks.
Soon thereafter, the CTB Locker ransomware is downloaded on the users’ computer and starts performing the encryption routines. Below is a flow chart showing how CTB Locker ransomware lands on a victim’s computer:
CTB Locker ransomware can also attack a computer through drive-by download. Drive-by download occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge. When the user accesses the website, the malicious code of the ransomware exploits weaknesses or other vulnerabilities in the user’s browser or browser plugins, allowing the download of the ransomware to the user’s computer. Additionally, this ransomware could enter a user’s computer via social media (such as Web-based instant messaging applications), suspicious links, fake alert windows, and popup ads.
When successfully infecting a computer, CTB Locker ransomware uses elliptic curve cryptography to lock up the user’s personal files. Soon after that, it displays a ransom note on the computer screen warning that personal files on the computer have been encrypted by CTB-Locker and the victim has to obtain a private decryption key, which is stored on a secret Internet server, in order to decrypt the files. The victim is also told that, he must ubmit the payment within 96 hours, or else all his files will be permenently crypted and no one will be able to recover them. The following is a screenshot of the ransom note:
When the victim clicks the Next button on the ransom note, he will see a page that provides instructions on how to decrypte the encrypted files. Below is the screenshot:
The victim is required to download Tor browser and open the appointed site. After doing so, he will be shown the following page which gives the details about how to make the payment.
This ransomware demands the vicitm to pay 3 bitcoins (about 690 USD) for the decryption key. To make sure that decryption is possible, the victim is allowed to decrypt 2 any files for free. Despite warnings from security experts against paying the ransom, many victims choose to make the payment, since they think this is the only way to get their files back.
Do you need to pay the ransom?
Unfortunately, the answer is yes. This is because that, there are no effective tools capable of decrypting files encrypted by CTB-Locker ransomware at time of writing. It may have tools that help remove the ransomware; however, the encrypted files are almost impossible to be decrypted without paying the ransom.
What if you fail to pay the ransom in time for some reason?
Don’t worry. When the timer counts down to 0, you will be shown a Time expired screen that gives instruction on how to pay the ransom. See below screenshot:
Once you click the Exit button, you can go and open the DecryptAllFiles.txt file found in the Documents folder and follow the instructions there to make the payment.
Will you get your files decrypted after paying the ransom?
Theoretically, the cyber hackers behind the ransomware will keep their promise and allow you to get the encrypted files back as long as you pay the ransom within the limited time. We can only say that, if you pay the ransom, you can have a 50:50 chance of getting your files back; if you don’t, you are probably lose all the encrypted files.
How can you remove CTB Locker ransomware from your PC?
If you think the enrypted files are not so important and don’t want to pay the ransom at all, then you can try following the instruction below to remove the ransomware from your PC completely.
Step 1: Boot your computer into Safe Mode.
For Windows 7:
Turn on or restart your PC. Please keep pressing F8 key when the computer has started but before the Windows 7 splash screen appears. As the Advanced Boot Options menu appears, you should highlight the Safe Mode option, and press the Enter key on your keyboard.
For Windows 8:
Use the key combination “Windows key + R key” to open the Run command box. Type shutdown /r/o into the box and then press click OK.
The Windows 8 machine will start to reboot and go into the Choose an option screen. Then, click the Troubleshoot option.
Click Advanced options.
Click Startup Settings.
Click the Restart button.
Your computer will restart itself. When the Startup Settings screen appears, press F4 key to select the Enable Safe Mode option.
Step 2: Run SpyHunter on your computer to detect and remove CTB Locker ransomware.
Once you have booted your computer into the Safe Mode, you need to install a powerful malware removal tool in order to detect and remove the malicious ransomware. You can choose SpyHunter which is a powerful, real-time anti-malware program designed by Enigma Software Group. It offers real time protection and it creates a shield that deters all threats and attacks. In case when this program can’t automatically remove a perticular malware threat, you can use the Spyware HelpDesk feature to get help from SpyHunter’s support team who will connect to your infected computer and manually fix the malware issues. Please follow the guide below:
» Use a healthy computer to download SpyHunter-installer.exe.
» Copy the downloaded file to the infected computer. Then, double-click the downloaded file.
» When a dialog box pops up as below, click the run button.
» Select the language and click OK button.
» Click CONTINUE to proceed, and keep following the setup wizards to install SpyHunter.
» Accept the licence agreement and click the INSTALL button.
» Now you can see that SpyHunter is being installed on your PC. Please wait for a while.
» Once SpyHunter is successfully installed, click the EXIT button.
» Then, SpyHunter will automatically run and the main screen looks like below. Click the Scan Computer Now button to do a full system scan.
» SpyHunter now will start scanning the whole system for any existing threats.
» When the system scan finishes, the scan result will be shown in a list. To remove all detected threats, just click on the Fix Threats button.
Is it possible to restore the encrypted files?
The answer is “Yes, ” but this is a conditional yes. The following are three methods that may help you restore the encrypted files. Once you have successfully remove CTB Locker ransomware, you can try one or two of them according to your own situation in order to get your files back.
Method 1: Backups
If you have a backup of the encrypted files, you can try restoring them with ease. Learn how to restore files from a backup.
Method 2: Use Data Recovery Software
You can also try using the following data recovery software to restore your files.
- Stellar Phoenix Photo Recovery
- Data Recovery Pro by Pareto Logic
- Stellar Phoenix Windows Data Recovery
- Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
Method 3: Use Shadow Volume Copies
This method works only when the ransomware doesn’t delete any Shadow Volume Copies on your PC. Theoretically, CTB Locker ransomware will delete all Shadow Volume Copies, but you can just have a try. Learn how to easily restore your deleted or modified files using Shadow Copies.
If you want to avoid being a victim of ransomware, it is important that you keep these tips in your mind:
- In case ransomware will attack your computer via exploiting the vulnerabilities found in your system, you should keep your computer’s operating system fully patched.
- It is a good habit of backing up your personal data regularly. This can not only avoid being threathen by ransomware, but also protect your data against accidental deletions.
- If you receive an unexpected email containing a suspicious attachment, don’t open it. You should just delete the email immediately. If you must view an attachment, please inspect it with antivirus software before opening it.
- Don’t enable macros, since many types of ransomware is distributed in Office documents that trick you into enabling macros.
- Avoid clicking on links in spam emails, unfamiliar websites or that sent by a stranger via instant messaging applications.
- Disable Java in your Web browsers. Make sure that you set Adobe Flash Player to “click-to-run”, or you can disable it entirely.
- Install and run a reliable anti-malware program that provides real-time protection against malware. You’d better choose the one that will automatically updates its malware definitions at least once a day.
Do you have no ideas which anti-malware program to choose? SpyHunter should be your best option! It has the following features:
- Easily detect, remove, and protect your PC from the latest malware attacks.
- Malware detection and removal definitions are updated DAILY.
- FREE technical support and custom fixes for hard-to-kill malware.
Now you can click the button below to download this powerful tool on your PC!
The following video offers a complete guide for CTB Locker Ransomware removal. You’d better watch it in full-screen mode!