Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, May 12, 2015

How to Remove Bit Cryptor Virus and Restore Encrypted Files

Tell your friends:
Bit Cryptor or BitCryptor is a file-encrypting ransom virus (ransomware) that encrypts your files using AES-256 encryption algorithm so they are not accessible and repairable without the unique encryption key. In order to get the key and decrypt your files you need to pay a ransom of 1 bitcoin which is currently about $240. It targets all version of Windows. Files stored on Network-Attached Storage (NAS) and other computers on the same network can be encrypted as well. Just like any other ransomware it scans your computer for data files and then encrypts them silently in the background. Most users probably won't even notice anything suspicious. Once the ransom virus has encrypted your files it will display a Bit Cryptor program that contains instructions on how to get your files back. As you can see, it has a countdown clock and apparently the ransom cost will increase if you won't pay on time. Each victim has a unique bitcoin payment address. Cyber criminals allow you to decrypt one file for free.

You know as well as I do that as we all spend increasingly large portions of our waking lives working, playing, shopping and browsing online, the higher the risks of contracting a computer virus or being infected by ransomware are. There is big money to be made in the cyber crime industry and malicious programmers are creating online attackers that are now more sophisticated than ever before. It's like watching a dog chase its tail, watching antiviruses and malicious software play this endless game of outsmarting each other with their creations. But where does that leave us – the people who rely on the internet to earn money, relax or simply keep our busy lives in order? Well where we're left is in the position of now having to be increasingly alert if we want to defend ourselves from becoming yet another faceless victim in the online war.

But the issue is that because the two sides of good and evil are constantly battling to stay one step ahead of each other, ransomware is constantly reinventing itself and finding new ways to cause havoc on our PCs or extort our hard earned cash from us. Bit Cryptor is a good example of how cyber criminals constantly improves their malware making it more sophisticated and dangerous. This particular variant, unlike most ransomware, block Task Manager and other program that can be used to disable it. As a result, it might be difficult to run anti-malware software and remove the ransom virus. Bclock.exe is the main process of this ransomware. It's usually located in C:\Users\[YourUserName]\AppData\Roaming\Microsoft\Windows\ folder. So, in case you can't open anti-malware programs or Windows tools, try to remove or at least disable the bclock.exe program first. If you can't do this using Task Manager, try Process Explorer. There's also a filelist.locklst file which contains a list of all files encrypted. Don't delete it. It's not dangerous and besides you may still need it.

Here's how BitCryptor Your files have been encrypted wallpaper stored in %Temp%\wallpaper.jpg looks like:

What is ransomware?

Ransomware is, to put it frankly, a nightmare. Yes, Bit Cryptor is a nightmare too. Not only does it try and con you out of money, it also causes major issues on your computer, and it can cause you very real stress and upset too. It certainly is something that is worth taking the time to learn a little more about. Ransomware seems to come and go so read on and make sure that the next time it's doing the rounds you stand the best possible chance of not falling victim to it.

You're probably already one step ahead at this point and have guessed that ransomware is a type of malware that operates by holding you hostage. Actually, it holds your files, data, programs or operating system to ransom, but when your life is stored on our computers it may as well be you! In a nutshell, ransomware will kidnap, or lock, your computer and hold it hostage until you pay a release fee. It also display a ransom note in a text file, not just the Bit Cryptor decryptor window.

Your personal documents and files on this computer have just been encrypted.
The original files have been deleted and will only be recovered by following the steps described below.
Click on "Show encrypted files" to see a list of files that got encrypted.

The encryption was done with a unique generated encryption key (using AES-256).
This means that encrypted files are of no use until they get decrypted using a key stored on a server.

This server will only release the key if the amount of Bitcoins (displayed left of this window) is send to the Bitcoin address shown on the left of this window.

Each time the timer expires, the total cost will raise with the starting price.


How does Bit Cryptor infect you?

Like most types of malware, Bit Cryptor will infect you through a program, file or app that you have downloaded. Some ransomware attacks websites, infecting them and then you the visitor by default. Other ransomware is hidden in an attachment sent in a spam email or instant chat application. Finally, you may even be unlucky enough to be the victim of something called a 'drive-by installation' which is when you've stumbled across a website that has been infected by the malicious software.

What to do when this ransomware attacks?

Don't panic. And DON'T pay a ransom. Instead, follow the removal guide below on how to salvage your data and clean your computer ASAP. There are a few tools that can help you to restore at least some of your files without paying a ransom. Even though, there's no guarantee that these tools will help you, there's also no reason not to try them out. Who knows, maybe you will be the lucky one. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing Bit Cryptor and related malware:

Before restoring your files from shadow copies, make sure Bit Cryptor virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

IMPORTANT! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. Also, try to disable bclock.exe using Process Explorer.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Bit Cryptor crypto virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

Hello Michael,

i tried the way you suggested, but in the Shadow Explorer there is only the date when my PC was infected.
So no Chance to get a older Version without encrypted files. It is really a nightmare - all documents and what is very sad - all photos are encrypted.
I would pay the Money to get the key, but I have not the page where the amount is shown.
Please could you help me?
Sascha from Germany

Admin said...

Hello Sascha,

The problem is that even if you pay the ransom there's no guarantee that they will give you the decryption key. Very often, people not only lose their files but also money. I would back up all the encrypted files on another storage media, and leave them until a free decryption method is found, one day. BitCryptor is basically a new variant of CoinVault. Kaspersky found private keys of CoinVault, so let's hope this will happen with BitCryptor as well.

As for Shadow Explorer, the virus probably deleted all the shadow copies from your computer. That's why you can't find any with Shadow Explorer.

Another option would be a data recovery program like Recuva. There are more programs to choose form but this one is free. Also, you can recover lost or deleted files from previous versions using Windows. Just Google how to recover lost or delete files from previous versions. And finally, you can find a local data recovery professional and take your hard disk drive there. Even if the file is encrypted or deleted certain information is still left and can be recovered with professional software.

I hope this helps.

Admin said...

@Sascha, I forgot to mention another great files recovery tool PhotoRec by CGSecurity. It's free and has lots of positive reviews.

sai kalyan said...

what if we change OS.?
still we need to decrypt the files??

Admin said...

@sai kalyan, changing the OS won't help you because your files will still be encrypted.

Gaurav said...

Hello Admin,

I have removed Bit Cryptor Virus but unable to decrypt my files, but i have some copy of original files. Can i use them to decrypt files through their comparison. Pls try to resolve my problem.......


Admin said...

Hi Gaurav,

There are still no tools available for decryption. If you have copies of original files then you shouldn't lool any further and use them unless you're talking about shortcuts to originals files then the answer is no - you can't use them to get the original files back. Use Shadow Explorer if you have't yet or try Recuva.