Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, January 21, 2015

How to Remove CTB-Locker Virus and Restore Encrypted Files

Tell your friends:
CTB-Locker is a Trojan-ransom (ransomware) infection that scans your computer for data files and encrypts them so they are not accessible and repairable without the unique encryption key. In order to get the key and decrypt your files you need to send a ransom of $100 or sometimes even more. The ransomware renames files and adds a unique file extension, for example .KUEDIDG, at the end of each encrypted file. CTB-Locker uses very strong encryption algorithms to encrypt files making brute force attacks unrealistic unless you have a super computer. It has a timer that gives you 96 hours (4 days) to pay the ransom. It's unclear what happens when the timer runs out. Cyber criminals say that they will destroy your unique decryption key if you won't pay on time but I don't know if it's true or just a scare tactic. Another improvement is different language localizations for this ransomware. CTB-Locker decryption instructions are now available in German, Dutch, and Italian. Cyber crooks will probably add more languages if this campaign succeeds. All sings indicate that it's a wide-spread malware infection because anyone who buys a certain exploit kit gets the CTB-Locker module and support for a certain amount of time. In other words, you can expect to see multiple attacks performed by different people that's why this ransomware is so dangerous. Those who crated this ransomware can even help you to install and run it.

Once installed, this ransowmare will scan your computer for data files and then encrypt them silently in the background. You won't notice anything unless maybe an increase of CPU usage. Then it will create a file called DecryptAllFiles.txt in Documents folder and display "Your personal files are encrypted by CTB-Locker" message with instructions on how to get your files back. The message reads:

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker. Otherwise, it's seems that you or your antivirus deleted the locker program.

Now you have the last chance to decrypt your files.

Open http://[edited] or http://[edited] in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from

2. In the Tor Browser open the http://[edited].onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.

Follow the instructions on the server.

So, what you basically have to do is install a Tor browser or use a Tor to Web gateway to open a web page with payment information. Then you need to copy and paste public keys that were given to you and pay the ransom. If everything goes well, you will receive your decryption key. At least, this is what cyber criminals say. I personally wouldn't trust them and pay the ransom unless encrypted files are extremely important to me. You can't really know if they will get the decryption key. Think of paying the ransom as your last option.

If you, like most of us these days, spend any amount of time on the Internet then you really need to make it your business to know what threats there are to your online safety – and what precautions you should be taking to protect yourself. These days, being infected by a virus doesn't just mean your computer keeps crashing; it can be far more serious than that. Bank fraud, data corruption and even identity theft can have long lasting ramifications and cause untold stress and misery.

Put simply, you need to be aware of the dangers of malware like CTB-Locker. But that can be easier said than done when there are so many different types of malicious software to contend with. Do you know your spyware from your adware or your rogue security software from your Trojan Horses? Let’s take a closer look at the latter and find out how you can safeguard your data, your identity – and your sanity.

CTB-Locker is a particularly unpleasant type of malware which employs extremely devious tactics in order to install itself on your computer. In fact, you play an important part in that process because CTB-Locker disguises itself as entertaining, interesting or useful programs to convince you that you really have to download them, like, right now! More often than not, it will be in the format of a file attachment in an email or on an instant messenger app. This attachment (or link) will look harmless enough, enticing even, but once you've clicked and opened it, you're setting the wheels in motion for an ensuing technology nightmare.

CTB-Locker has some very destructive character traits. Character traits such as corrupting your data, deleting your files, and logging your keystrokes with an aim to steal personal information such as passwords and bank account details. Some variants of this ransomware even install more malware on your computer and turn it into something called a 'zombie' which basically means that your PC is now under the control of the malware's programmer. And if it sounds like something out of a horror movie – you wouldn't be far wrong, as anyone who's experienced the stress of being infected by a Trojan-ransom can testify.

The moral of the story? Don't be too trusting. Be very careful what attachments you open, and NEVER open files or click links in emails or messages from unknown senders.

If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing CTB-Locker and related malware:

Before restoring your files from shadow copies, make sure CTB-Locker is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by CTB-Locker virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

could anyone decrypt ANY file with this method?
my trials are not successful still :(

coolguy said...

This method worked for Drive C contents but how about other drives ex. D:, E:.
Could you suggest any other method.

Anonymous said...

to recover your encrypted files remove the hdd and connect it to a machine running linux. you will be able to restore all ctb-locker encrypted files. do not move around encrypted files.

>>>ctb-locker victim<<<

Anonymous said...

easy one... Shadow explorer recoveered all files that was encrypted.

You can change drive in Shadow Explorer in top left corner- just done it. Thanks for hint

Anonymous said...


Hamdan de Rossi said...

what if I have to reinstall my computer . However , the entire document is in the directory D : ???

ChiliBone said...

Even if you can decrypt your files,how do you know when this bug is gone?

Admin said...

@ChiliBone, you need to scan your computer with anti-malware program and remove infected files. Preferably with at least two anti-malware programs.

Anonymous said...

Does any one recovered encrypted files on a windows xp????

Anonymous said...

hi Anonymous >>>ctb-locker victim<<<
could you please tell how did you recover encrypted files using Linux. i tried with RHEL 7 but failed.

Anonymous said...

Can someone help me? I cannot use the Shadow explorer for recovering because it is empty. Is there another way to recover my files?

Anonymous said...

shadow explorer is unable to decrypt the files. !!!!!!!

Anonymous said...

i think shadow explorer didn't decrypted the file, it just restore another copy/version of the files. btw, thanks for the tip.. but i have another problem, there is no other version of the folder/files that the user have, is there any other solution?

Mansi said...

My system is infected by CTB locker virus. But unable to recover files encrypted by virus. I do not have any backup. Could you please suggest way for decryption of files.

cintia nadeshiko said...

anyone, would you help me? I just found one the latest date. what the reason about that?
Help me, my all data still encrypted by ctb-locker.
Thank you.

walid bchini said...

all my files are crypted by ctb locker , but i can't decrypt them , i use many method but no one can restore them , Help plz

Anonymous said...

Thank you...i can help my friend to recover all files on the laptop...she's cryin' when she know all files cant be opened...very good software...

vmovies said...

how do you go about using a linux machine I attached my effected drive on a linux system and it still could not open the ctb locked files

Anonymous said...

thax for great program

Asiyam zamanam said...

Hi, when cryptowall run, not knowingly I run norton utilities, and then I fixed my norton anti virus and then I found out about this cryptowall.and norton utilities has all my registry's back up, and I can restore it. All my files are lock. Can I pay and get my files back and should i turn off my anti virus at time. Any help will be great and I don't have that much time. Thank you very much.

Admin said...

@Asiyam zamanam, there's no guarantee that you will get your files back after paying the ransom. It's always a 50/50 shot. If those files are not very important or let's say they are not worth $500 or more then I wouldn't pay the ransom. But it's up to you to decide.

Asiyam zamanam said...

Hi, for some important files, I had to pay. Now I got private.key and public.key. what should I do with these key before running decrypt.exe.. Any help will be great. Thank you very much.

Anonymous said...

dear friends.......
my laptop also got attack today.. by CTB....... help me anyone to get my important document.......

Galihwara as Ega said...

hi, friends...

My laptop also got attack 2 days ago by ctb too, then what ctb locker just can be heal with pay anvir like shadow copy etc? then as long as I try,anvir like avg, winav, and pcmav can't detect that :(

Seconds, how to make the encrypted fle back to the original version ( how to decrypt bck it?) thanks

anakkencoer said...

hi everyone, can anyone tell me another tools besides shadow explorer to search my file? since Shadow Explorer only work on Win Xp SP2 And Above....
My Office PC with Win XP Profesional got infected by CTB Yesterday.
Thanx in Advance for any solution

Warren Little said...

Did everything what if it keep coming back

suresh kumar said...

Hi friends, my all files was encrypted in this format(file.XLSX.lwmoyil) anybody can help me to recover

Anonymous said...

Please Upload the decrypt.exe ??? can try on my pc..

CyberWhiz said...

SHADOW EXPLORER IS A LIFE SAVER!!!! I spend hours with Norton support and to fix the decrypted file they want me to purchase a virus removal service.....what a money making scheme. Anyways, thank you very much!!!!!!!!

Anonymous said...

We should team up Internationally and get this hacker behind bars and not even allow a digital wrist watch near to him / her /them. This is nothing else than a criminal act and needs punishment! Did anybody file a criminal case in his country against this unknown extortionist. Come on let us strike back.

Anonymous said...

It's so horrible who ever did this :(
Just like everyone I've used shadow explorer to recover from c: but does anyone know how to recover from e: too?
Thank you

kapoor singh said...

can any one help me to decrypt the file, and it's affected by ctb locker

Anonymous said...

Hi I just got the locker on my XP SP3.

I'm positive that it started when I launched SUPER 2010 b38 (a FFMpeg graphical frontend for audio/video conversions) and wanted to bypass the auto update screen. It started forking lots of msiexec processes, and SUPER crashed when I tried to close it.

Did anyone experience the same? Don't want to blame SUPER but its spooky auto update feature just went wild although I canceled the prompt. And the process load immediately went up to 100% while msiexec's were forking like hell.

Anonymous said...

Update to my comment above:
This is a new variant of the TeslaCrypt ransomware. It encrypts sensitive files and appends .exx extension.
Affected folder contain text files HELP_RESTORE_FILES_ganfa.TXT

Take care of your backups.
It's touching any drive attached to your computer.

minou min said...

Does that Programe Post our Pictures online ???

Admin said...

@minou min, no as far as I know, it doesn't make any files public.

yue_ky said...

Please help! I removed the ctb locker and installed shadow explorer, but the dates from shadow explorer only showed the dates after my com was infected. Please help!!!

Anonymous said...

I wasn't able to find any dates before the infection in shadow explorer, please help.

Anonymous said...

Hi, can anyone tell be why my decrypted files not can be seen by Shadow Explorer?

Kenny said...

Anonymous, please if you get to know who is behind this CTB-Locker, I would like to know where their location or address is.

Anonymous said...

The removal part is the hardest, us AVG and a rootkit that will work.
Look at the infected files they have something like


Just do this rename to original file
rename xxxx.jpg.ffhhhggg xxxx.jpg.
I still doesn't work but :

Choose properties , Version and Restore an older version it works again (Windows 7)

I you are lazy , click the folder which contains the infected files
and restore an old version of the folder.

You now have 2 copies ot files , the infected one an the original. Just delete
the infected files. Do the same thing witch docs.
This does'nt work for files in the root directory. I am woking on that one.

Regards Layek

Scott Matthew said...

My name is Scott . I am a professional photographer from Michigan. On August 11, 2015 my computer was infiltrated by hackers utilizing an advanced and evolving hacking and data encryption program. It is not the only one of its kind, however the bad guys are continuing to invent new and more powerful ways to separate people and companies from the things they need the most. It is something that never should happen. It is wrong what these people do and they are doing it every day. They are doing it as I write this. They call it RANSOMWARE. It is a word I myself, a common computer user, had not hear of.
These programs go by different names. They all do about the same thing, which is to lock you out of your own computer and/or render files on your hard drive inaccessible to you and most people on the planet incidentally. It is a troublesome and disturbing new trend in cybercrime and I feel law enforcement and our government are NOT doing nearly enough to combat these people and their very REAL weapons.
They seem to be targeting at random. Individuals, Small businesses, and even law enforcement its self. There is a new shared danger in this fluid situation that is different from other computer virus programs in that even with the best protection the government has at its disposal there are people who know how to break in. Once one of these RANSOMWARE programs is able to upload onto your system you may never know it is there until it strikes. When it does, it is very fast and there is nothing you can do to stop it. Your file icons will flicker and disappear. You will see this happen as I did. The files will reappear, but in an encrypted format that MOST people will never break, it seems. You will need to know a lot about computer CODE and DECRYPTION.
If you start to see your files going away the only thing you can do is unplug your system from the wall or shit it immediately down as fast as u can. Just hit the button!! In some cases doing an immediate system restore and/or factory restore can assist in the recovery of files. It depends a lot on when your last hard drive RESTORE POINT was made. That is something you should often do, particularly if you do a lot of work on your computer and have more files you are dealing with.
The best thing you can do keep updated copies of important material. On CD as well as computer that is NOT connected at all to the internet. That is want I mostly do. I have computers for networking and I have other for editing and other things. It is best to keep things separate, now more than ever.
As of this writing there is no decryption for the version of this virus program that has locked my files from me. It is called CTB-LOCKER. It uses RSA-2048 ENCRYPION . Please feel free to google these things so you can learn more about what these programs really are, how they work and how dangerous they really are. Or google RANSOMWARE. I am hopeful that one day soon they will catch these evil people, or the good guys will come up with a solution. Some of these people have actually stopped and released their CODES so people could actually retrieve their data, but every situation is different and no one can say for sure if decryption will ever happen. I know there are a lot of people out there like me who have been victimized by these evil people and I want them to know that I feel their pain. I want to see these evil bad people in court. I want them to know that they have HURT PEOPLE and I want to see them go away for the rest of their lives.
I want to thank Roxy Lopez again for her courage in taking on this global issue and I thank here again for her time. Hopefully together we can get this very serious issue into a greater light and maybe the bad guys will have less places to hide.

Scott Matthew Smith

Cihan Erdem said...

Does anyone decrypt his/her files infected by CTB-Locker ? However, extention of my files are ".vaegran" thanks in advance.