Whereas regular ransomware yields to removal and complete remediation of the contaminated system via a special procedure, CryptoLocker encrypts user files and won’t allow for restoring those unless a certain amount of money is paid. Furthermore, unlike ransomware which attempts to disguise itself as something legitimate, this type of malware goes straightforward on the victim and in no way conceals its true extortion nature. It encrypts your personal files using asymmetric encryption, which means that the decryption process involves a public and private key, the latter being stored on the criminals’ remote server. For the users to have their files decrypted, they need to pay a fee of $100-300 via Bitcoins (the cheapest option according to the fraudsters’ notice), Green Dot MoneyPak (USA only), Ukash or cashU. This payment needs to be made within 96 hours otherwise all of the encrypted files will be lost.
Thus far CryptoLocker has been known to spread by means of sending emails masqueraded as ones concerning customer issues related to FedEx, DHS, UPS, etc. The contamination proper takes place when an unsuspecting user opens up an attached zip file that contains a malicious executable made to look like it’s a PDF file.
Now let’s have a look at what actually happens to the infected machine from more of a technical viewpoint. Once CryptoLocker infiltrates a targeted computer, it creates a random-named file to the root of AppData or LocalAppData path and creates several registry entries to ensure it gets launched on system startup as well as in Safe Mode. This being done, CryptoLocker establishes a background connection with its Command & Control server in order to get a public key for file encryption, the private key being stored outside of the affected PC. Then the malware scans all computer drives to locate files with a variety of extensions, some of which are most common ones such as *.doc, *.docx, *.docm, *.xls, *.xlsx, *.xlsm, *.xlsb, *.ppt, *.pptx, *.rtf, *.psd, *.pdf, *.jpg, etc. Having found all of these, CryptoLocker encrypts them, which is followed by the following screen being displayed (please click all tabs to view images of adjacent CryptoLocker screens):
As you can see, the window contains a ticking countdown clock for enhancing the intimidation and urgency aspects, as well as details on what should be done for decryption to commence. It has been reported that entering a wrong voucher code will cause the remaining time to be reduced. Also, in case the payment is made the files will not be decrypted immediately as it apparently takes the villains some time for processing the payment and request proper. However, according to user feedback, the scammers behind CryptoLocker have been ‘honest’ so far in terms of decrypting files after payment – an honor code of a kind, if you will.
In the following section, we will show you how to get rid of CryptoLocker and try to restore your encrypted files without paying the ransom.
It’s quite counterintuitive but removal of this particular threat is not too complicated unlike the cleanup scenarios for other known ransomware infections. The problem lies in the scope of decrypting your personal files, which is so far not feasible unless the demanded ransom is paid. Basically, this means you can get rid of CryptoLocker using legitimate security software without any particular hindrance, but options for restoring your data are a matter of a separate discussion, which we will touch upon in this guide as well.
Now, let’s outline a perfectly effective way for complete removal of CryptoLocker from an infected computer. Please follow the instructions below step by step:
1. Download and install Malwarebytes Anti-Malware (Pro or Free version).
Support: Windows XP, Vista, 7, and 8 (32-bit and 64-bit).
2. Open the application, click on the Scanner tab, choose Perform full scan radio button, then click Scan.
3. After the scan is completed, Malwarebytes will come up with the results:
As you can see, the utility labels CryptoLocker as Trojan.Ransom, with the malware location directory specified in the scan report as well.
4. Make sure there’s a check mark next to this entry in scan results, and click Remove Selected.
Now you’ve got some good news, and bad news. On the one hand, CryptoLocker is gone from your computer and won’t do any further damage. On the other – your files are still encrypted, since elimination of the malware proper does not undo its previous malign activity. The private key for decryption which is stored on the cybercriminals’ C&C server is no longer retrievable. In the following part of this guide, we will highlight a method that may help you restore your files.
As it has been mentioned above, despite successful removal of CryptoLocker, the affected files remain encrypted. While it does not appear possible to obtain the private key for decryption in this case, you can try to restore previous versions of these files using either built-in Windows functionality or a third-party application known as ShadowExplorer. Please note that this method is doable only in case you have System Restore enabled on your PC, and the versions of the files that you may be able to recover this way may not be the latest. It’s definitely worth a try though.
Windows has a native feature, where you can right-click on a file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were backed up and stored in the so-called Shadow Volume Copy. The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then choose the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. You can restore whole folders the same way.
Besides the native Windows functionality, you can use an application that can restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all your drives as well as a list of dates that shadow copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you’d like to restore the information to.
CryptoLocker is a really nasty computer threat designed to act in a very cunning way. There’s no particular focus made on preventing users from removal of this infection, the underlying reason being that most people will want their encrypted files back. Again, no method has so far been found for obtaining the private key which is necessary for decrypting the affected user’s personal data – of course, other than surrendering to the criminals by paying the ransom via a monetary system which guarantees them anonymity and guards from prosecution in a way. The file restore workflows outlined in this article may help partially, but only in case System Restore was activated earlier; moreover, there’s no confidence that the file version you recover will be the most recent one.
In order to protect yourself from being infected with viruses like CryptoLocker, be sure to use up-to-date versions of reliable security software that won’t allow malicious code to execute on your computer.