Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Wednesday, October 16, 2013

Remove CryptoLocker virus and restore encrypted files

Tell your friends:
CryptoLocker is a ransomware trojan that encrypts your data and then asks you to pay a ransom in order to decrypt the files. The current ransom is $300 (300EUR in Europe) by MoneyPak or Bitcoins. It does not target Macs, at least for now. At first glance, it's just like any other file encrypting ransomware except that this variant is well coded and actually encrypts the files. It may encrypt files in other user's account and even in mapped drives. Other ransomware trojans not always managed to do the encryption right, some even displayed fake warnings but not this one. It really encrypts, the timer is real and you have only two options: to pay the ransom hoping that cyber crooks will start the decryption or restore your files from a backup (if you are lucky enough).

This threat gets in mostly via infected email attachments and drive-by downloads from infected web sites. It is also being pushed directly to infected computers that belong to certain botnets. As usual, cyber crooks will try all possible methods to infect as many computers as possible. Only because someone said that this malware is being spread via infected email attachments doesn't mean you won't get if after visiting an infected website, etc.

An email containing the Crypto Locker virus attachment with a subject "Annual Form - Authorization to Sue Privately Owned Vehicle on State Business" that supposedly came from Xerox. [Click to enlarge image]


Here's what the CryptoLocker notifications looks like. If you got it then it's already too late. Your files are encrypted. It might be slightly different in same cases but the message is the same - "Your personal files are encrypted". There's even an option to list all the encrypted files. CryptoLocker encrypts photos, videos, word/excel documents, Zip files, PDFs and more than 60 other file types. As I said, the timer is real, usually you have 3 days to pay the ransom.


Most antivirus programs have updated their AV engines and are now detecting this ransomware trojan but they cannot recover the encrypted files. For example, Avast detects it as Win32:Ransom-AQH [Trj]. AVG - Ransomer.CEL. Avira - TR/Fraud.Gen2. Detection ration is 38/48. See CryptoLocker analysis on VirusTotal for more details.


If your antivirus program found and removed CryptoLocker from your computer, you will see the following message. It's not a pop pup but a new desktop background.


Since the decryption is impossible without CryptoLocker, cyber crooks urge you to restore it from quarantine or download a new copy of this malware.

Normally, I don't recommend paying a ransom but this piece of malware is particularly nasty. The encryption is strong, there's no way you can brute force or guess the decryption key. Usually, public RSA 2048-bit keys are stored on infected computers but not private keys, they are stored on remotes servers controlled by cyber crooks. And you can't decrypt files without your private key. So, you have to make a decision. If the encrypted files are very important to you, worth more than $300 you could take the risk and pay the ransom. Paying the ransom does not guarantee the safe recovery of encrypted files. However, multiple users have reported that paying cyber crooks to decrypt the files actually does work. It may take a long time to decryp, up to 48 hours or even more. If you plan on paying the ransom, please be careful as you type the code because entering an incorrect payment code will decrease the amount of time you have available to decrypt your files. If everything goes smoothly, decryption will start:


If the payment information is incorrect or the Command and Control servers are down, you may get an error, similar to this one:


Personally, I think that paying the ransom is not a good idea at all because cyber crooks will almost certainly fund the creation of a new variant, probably even more sophisticated than the current one. On the other hand, I understand companies and users that have very important files and they can't afford to lose them. They simply do not have other options.

If the encrypted files are not very important or you don't have money to pay the ransom, you can remove this malware and restore your files (at least some of them) using Shadow Explorer. You could restore encrypted files one by one using System restore built-in features but with Shadow Explorer you can restore entire folders at once which is really great. Besides, this tool is free. To remove CryptoLocker and restore encrypted files, please follow the removal guide below. If there's anything you think I should add or correct, please let me know.

Written by Michael Kaur, http://deletemalware.blogspot.com


Step 1: Removing CryptoLocker and related malware:

Before restoring your files from shadow copies, make sure CryptoLocker is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.







Also, please feel free to call us (toll free) and we'll be happy to help you on the phone.


2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

 That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

--------------

If you can't use anti-malware programs, you will have to remove CryptoLocker manually.

1. Download Process Explorer. CryptoLocker spawns two processes of itself. It's very difficult to end those processes using Task Manager, so you will have to use Process Explorer instead.

2. Open Process Explorer. Find CryptoLocker's processes. This malware uses a randomly-generated name, yours will be different.



IMPORTANT! Please copy the location of the executable file it points to into Notepad or otherwise note it. Crypto Locker saves itself to the root of the %AppData% path.

Windows XP: C:\Documents and Settings\[Current User]\Application Data\

Windows Vista/7/8: C:\Users\[Current User]\AppData\Roaming\

3. Right click on the first process and select Kill Process Tree. This will terminate both at the same time.



4. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. The file is hidden, so make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

In my case, it was C:\Documents and Settings\[Current User]\Application Data\Klonpmmpdidlznt.exe



5. Go to start, and type regedit into Start search; this will open the registry editing tool (Registry Editor).

6. From the top, click on Edit, and scroll to Find (Ctrl+F). Type in the file name you noted earlier, and click Find next.



7. This should bring a result Cryptolocker; right click on the entry, and delete it.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

In the righthand pane select the registry key named CryptoLocher. Right click on this registry key and choose Delete.



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In the righthand pane select the registry key named *CryptoLocher. Right click on this registry key and choose Delete.



8. Press F3 to carry on the search, deleting each time. Do this until it has finished searching the registry, and then close down the editor. That's it!


Step 2: Restoring files encrypted by CryptoLocker using Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

The list of files to decrypt is maintained in the registry in:

HKEY_CURRENT_USER\Software\CryptoLocker\Files

14 comments:

Anonymous said...

HELP!!!

I want to make the payment but as no pop up I only have the link they gave me, but each time I try to type in this link I get "access denied for your IP address. I need to make this payment to save my business...how can I do this...PLEASE!!

Admin said...

You mean the Cryptolocker download link? So, if I understand you correctly, you can't make the payment because there's no pop-up window where you could enter the payment info, right?

There could be many reasons, maybe they had to shut their servers down or maybe authorities are blocking those servers.

Anonymous said...

So I got this virus, and I removed it with the malware you suggested. We have a small business server as well as Baracuda backup, so I'm not worried about the files, but I noticed it selected files from the small business server. Are they encrypted for just me or for anyone that attempts to access them?

Anonymous said...

It keeps telling me that ,y OS is not compatible for Shadow Explorer. I have Windows XP Version 5.1

Admin said...

I'm afraid they are encrypted for anyone that attempts to access them.

Shadow Explorer works on Windows XP Service Pack 2 and above, at least the authors say so, but I actually couldn't run it on Windows XP SP2, not sure why. Had the same issue as you and couldn't find a solution.

Anonymous said...

ShadowExplorer requires .NET Framework 3.5 Client Profile to run

Admin said...

Yes, indeed, .NET Framework 3.5 is required to run ShadowExplorer. So, if you got a run time error, make sure that .NET Framework 3.5 is installed on your computer.

Anonymous said...

We got this on 3 PC's. A Co employee rec a spoofed Co email. It looked as if it were from the Co Administration yet the Co E-Mail account had new acct {Voice4} so it looked something like this with a Voicemail attachment: [Voicemail.zip]. This Email did NOT go Co wide to all accts (only that 1 Acct rec it). Yet this person forwarded it to others & we stopped it after it had been opened on just 2 more PC's. Two PC's would NOT boot into Safe mode with Command Prompt (Had to run msconfig & select boot Safe Mode with Alt Shell chk'd. On the one that did boot into Safe Mode: Ransom Ware still loaded & I had to use a Win7 install disk choose repair & remove it all from command prompt. All Restore Points have been removed from those 3 PC's. GODaady is were the E-Mail accts are & 1 they have not even heard of this bug yet as of Thru 3Pm (24Oct13) & 2. They could not scan a .zip file as they passthru their Sys. HMMMMM If this is ever put on a E-Mail Worm then wow we'd be in real trouble.

Anonymous said...

saved my life! thank you.

Anonymous said...

Were you able to reinfect it and pay after it said your IP address has been blocked ?

Please advise as I am facing same issue

Anonymous said...

My IT guy thinks that the authorities are blocking the link to pay the ransom and that unless someone can come up with a program to unencrypte we are up a creek.

Anonymous said...

After removing the virus I've tried shadow explorer then opening up the files but it's still decrypted...PLEASE HELP!!!!!!!!!!!!!!!!!!!!

Jim said...

I have been figuring out how to get back a database that was corrupted during mozy pro backup and this SAVED OUR BUTTS! I was even going to pay the ransom because the DB holds so much valuable data to my client's ISO certification. Live and learn, zip DB backups THEN backup to mozy.

Anonymous said...

my files on my desktop is gone now because of cryptolocker... it is suddenly appeared and suddenly gone i mean the pop-up then i found some trojan and viruses in the quarantine of my Microsoft security essential Antivirus and then deleted them ... now the file are not important was on my desktop but how to know that i am still infected or not... i followed your procedures in defending cryptolocker and i don not know if i am going to lose data in future or not please HELP !!!