Quantcast

CryptoLocker Virus: “Your Personal Files Are Encrypted!”. How-To-Remove Guide

CryptoLocker – the virus providing 96 hours for decrypting your files

CryptoLocker – the virus providing 96 hours for decrypting your files

September 2013 turned out fruitful and lucrative for one of the cybercrime syndicates out there, but really alarming for private users and organizations on the other side of the IT security battlefield. The reason is the launch of a vicious computer infection known as CryptoLocker which in terms of severity and consequences for the infected PCs ‘outperforms’ the typical ransomware threats in a number of ways.

Whereas regular ransomware yields to removal and complete remediation of the contaminated system via a special procedure, CryptoLocker encrypts user files and won’t allow for restoring those unless a certain amount of money is paid. Furthermore, unlike ransomware which attempts to disguise itself as something legitimate, this type of malware goes straightforward on the victim and in no way conceals its true extortion nature. It encrypts your personal files using asymmetric encryption, which means that the decryption process involves a public and private key, the latter being stored on the criminals’ remote server. For the users to have their files decrypted, they need to pay a fee of $100-300 via Bitcoins (the cheapest option according to the fraudsters’ notice), Green Dot MoneyPak (USA only), Ukash or cashU. This payment needs to be made within 96 hours otherwise all of the encrypted files will be lost.

Thus far CryptoLocker has been known to spread by means of sending emails masqueraded as ones concerning customer issues related to FedEx, DHS, UPS, etc. The contamination proper takes place when an unsuspecting user opens up an attached zip file that contains a malicious executable made to look like it’s a PDF file.

CryptoLocker virus: contaminataion workflow and screenshots

Now let’s have a look at what actually happens to the infected machine from more of a technical viewpoint. Once CryptoLocker infiltrates a targeted computer, it creates a random-named file to the root of AppData or LocalAppData path and creates several registry entries to ensure it gets launched on system startup as well as in Safe Mode. This being done, CryptoLocker establishes a background connection with its Command & Control server in order to get a public key for file encryption, the private key being stored outside of the affected PC. Then the malware scans all computer drives to locate files with a variety of extensions, some of which are most common ones such as *.doc, *.docx, *.docm, *.xls, *.xlsx, *.xlsm, *.xlsb, *.ppt, *.pptx, *.rtf, *.psd, *.pdf, *.jpg, etc. Having found all of these, CryptoLocker encrypts them, which is followed by the following screen being displayed (please click all tabs to view images of adjacent CryptoLocker screens):

As you can see, the window contains a ticking countdown clock for enhancing the intimidation and urgency aspects, as well as details on what should be done for decryption to commence. It has been reported that entering a wrong voucher code will cause the remaining time to be reduced. Also, in case the payment is made the files will not be decrypted immediately as it apparently takes the villains some time for processing the payment and request proper. However, according to user feedback, the scammers behind CryptoLocker have been ‘honest’ so far in terms of decrypting files after payment – an honor code of a kind, if you will.

In the following section, we will show you how to get rid of CryptoLocker and try to restore your encrypted files without paying the ransom.

CryptoLocker virus removal

It’s quite counterintuitive but removal of this particular threat is not too complicated unlike the cleanup scenarios for other known ransomware infections. The problem lies in the scope of decrypting your personal files, which is so far not feasible unless the demanded ransom is paid. Basically, this means you can get rid of CryptoLocker using legitimate security software without any particular hindrance, but options for restoring your data are a matter of a separate discussion, which we will touch upon in this guide as well.

Now, let’s outline a perfectly effective way for complete removal of CryptoLocker from an infected computer. Please follow the instructions below step by step:

Malwarebytes Anti-Malware 1. Download and install Malwarebytes Anti-Malware (Pro or Free version).

Support: Windows XP, Vista, 7, and 8 (32-bit and 64-bit).

Download Read Review

2. Open the application, click on the Scanner tab, choose Perform full scan radio button, then click Scan.
malwarebytes-anti-malware-full-scan

3. After the scan is completed, Malwarebytes will come up with the results:
malwarebytes-anti-malware-detect-virusAs you can see, the utility labels CryptoLocker as Trojan.Ransom, with the malware location directory specified in the scan report as well.

4. Make sure there’s a check mark next to this entry in scan results, and click Remove Selected.

Now you’ve got some good news, and bad news. On the one hand, CryptoLocker is gone from your computer and won’t do any further damage. On the other – your files are still encrypted, since elimination of the malware proper does not undo its previous malign activity. The private key for decryption which is stored on the cybercriminals’ C&C server is no longer retrievable. In the following part of this guide, we will highlight a method that may help you restore your files.

Restoring encrypted files using Shadow Volume Copies

As it has been mentioned above, despite successful removal of CryptoLocker, the affected files remain encrypted. While it does not appear possible to obtain the private key for decryption in this case, you can try to restore previous versions of these files using either built-in Windows functionality or a third-party application known as ShadowExplorer. Please note that this method is doable only in case you have System Restore enabled on your PC, and the versions of the files that you may be able to recover this way may not be the latest. It’s definitely worth a try though.

Getting your files back using Previous Versions functionality

Windows has a native feature, where you can right-click on a file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were backed up and stored in the so-called Shadow Volume Copy. The tab also provides the history of these backups by date.
previous-versionsIn order to restore the needed version of the file, click on the Copy button and then choose the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. You can restore whole folders the same way.

Restoring encrypted files with ShadowExplorer utility

Besides the native Windows functionality, you can use an application that can restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all your drives as well as a list of dates that shadow copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
shadow-explorerRight-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you’d like to restore the information to.

Summary

CryptoLocker is a really nasty computer threat designed to act in a very cunning way. There’s no particular focus made on preventing users from removal of this infection, the underlying reason being that most people will want their encrypted files back. Again, no method has so far been found for obtaining the private key which is necessary for decrypting the affected user’s personal data – of course, other than surrendering to the criminals by paying the ransom via a monetary system which guarantees them anonymity and guards from prosecution in a way. The file restore workflows outlined in this article may help partially, but only in case System Restore was activated earlier; moreover, there’s no confidence that the file version you recover will be the most recent one.

In order to protect yourself from being infected with viruses like CryptoLocker, be sure to use up-to-date versions of reliable security software that won’t allow malicious code to execute on your computer.

Like This Article? Let Others Know!
Related Articles:

6 comments

  1. sunita says:

    cool article!!

  2. janee says:

    my computer didn’t back up, could i still choose the Previous Versions functionality?

    thanks,

    • admin says:

      Janee,

      By your phrase “my computer didn’t back up” did you mean you didn’t have System Restore enabled? If so, unfortunately you won’t be able to recover previous versions of the encrypted files using the mentioned native Windows functionality.

      If you meant something else, please specify.

      Thanks

  3. John says:

    I downloaded the shadow explorer but there do not apear to be any available versions before the virus was downlaoded

  4. Sarah says:

    The cryptolocker virus attack may come from different sources. These kind of virus is observed by the Dell Secureworks in 2013 September. The points which are mentioned here is really impressive and helpful for me. Keep sharing more in the upcoming posts.

Leave a comment:

Your email address will not be published. Required fields are marked *


5 × = 5

Comment via Facebook: