CryptoLocker Ransomware

This page contains description and removal procedures for CryptoLocker virus. Follow the guide carefully to delete the virus and regain access to your files. You can use "Previous Vesions" feature of Windows to recover files from the PC.

CryptoLocker is a virus or ransomware program that will encrypt files on the infected computer. This malware arrives on the computer through another infection. Trojan or other form of malware may explorer target computer for known weaknesses. This will be use as the channel to drop CryptoLocker on the system. Upon execution, the virus will inject code into the system folder as well as in the registry. This action allows CryptoLocker to run on each Windows bootup.

When running on the computer, CryptoLocker always remind computer user that files were locked. It demands payment for the encryption key costing 100 US or Euro, depending on the location of the victim. CryptoLocker also tries to scare computer users stating that any attempt to remove the virus will lead to immediate destruction of the private key. Thus, file will remain encrypted forever.

In the message, CryptoLocker states the following:

Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.”

Here is the scary part:

“Any attempt to remove or damage this software will lead to immediate destruction of the private key server.”

Paying for the ransomware like CryptoLocker is likely supporting the online fraud activity. We highly encourage computer users not to pay the private key. You may duplicate the encrypted file on a separate hard drive and run legitimate decryption tools to find the one the works best with CryptoLocker.

Screeshot Image:

CryptoLocker

Updates:

September 15, 2013: Ransom goes up from $100 to $300

New version of CryptoLocker demands a ransom of $300. It actually triples the price of the previous version. Attackers behind this malware are now maximizing the full advantage of its ransomware potential. They know that users now have full view that there is no way out other than pay for the demand. Even MS Security Center, who identified this threat as Trojan:Win32/Crilock.A states that complex method are being used in the encryption process.

Nov 09, 2013: Re-infecting and recovering files
Attackers behind this CryptoLocker malware now devices a method to still allow users to request for private key even if the virus has been deleted from the computer and required registry keys are erased by antivirus program. CryptoLocker Decryption Service was launched on November 1, as number or computer users decided to re-infect their computer with the virus to avail of the $300 private key.

With the CryptoLocker Decryption Service, you will have to submit one infected file in order for the server to search for the matching key pair. Once found, you can now order and pay for the key that is required in recovering encrypted files. Be aware that this service can cost you 10 Bitcoins, that is roughly $2,120 at the current rate.

cryptolocker-order

Ways to recover files encrypted by CryptoLocker.

Below, we have procedures in removing CryptoLocker from the computer. Since public and private key combination is needed to decrypt files, it is impossible to recover affected files at this point. We hope to find a workaround with this trouble in the following days. For the meantime, we will maximize whatever we have on hand.

If your PC is running on Windows Vista and Windows 7, there is a feature called ‘Previous Versions’. Although this function only works if restore point was saved prior to CryptoLocker infection or if System Protection is enabled on the computer. Use Previous Versions to recover files without having to pay for the private key.

CryptoLocker Removal Procedures

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

Step 1 : Reboot Windows Into Safe Mode With Networking.

First thing you should do is reboot the computer in Safe Mode with Networking to avoid CryptoLocker from loading at start-up.

NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.

1 Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer.

2 Boot Windows computer into SafeMode with Networking.

Instructions for Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

Procedures for Windows 8 and Windows 10
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode with Networking from the selections menu.

SafeMode

Step 2 : Detect and Remove CryptoLocker with Anti-malware Tool

3 Once the computer boots into Safe Mode with Networking, download the Removal Tool and save it on your Desktop or any location on your PC.

Download Tool

4 When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.

5 Follow the prompts and install with default configuration.

6 Before the installation completes, check prompts that software will run and update on itself.

7 Click Finish. Program will run automatically and you will be prompted to update the program before doing a scan. Please download needed update.

8 When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.

9 Scanning may take a while. When done, click on Show Results.

10 Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to CryptoLocker.

11 Finally, restart your computer.

Note: If CryptoLocker prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.

Step 3 : Additional Anti-virus and Anti-rootkit Scans

Ensure that no more files of CryptoLocker are left inside the computer

12 Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.

NPE Download

13 Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the antivirus program.

14 Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.

15 On NPE main window, click on Advanced. We will attempt to remove CryptoLocker components without restarting the computer.

Advance Scan

16 On next window, select System Scan and click on Scan now to perform standard scan on your computer.

Scan the System

17 NPE will proceed with the scan. It will search for Trojans, viruses, and malware like CryptoLocker. This may take some time, depending on the number of files currently stored on the computer.

18 When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.

Alternative Removal Procedure for CryptoLocker

Use Windows System Restore to return Windows to previous state

During an infection, CryptoLocker drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

rstrui-win7

Open System Restore on Windows 8 and Windows 10

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

rstrui-win8

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

FAQs

Is CryptoLocker Dangerous?

Yes, CryptoLocker can badly affect your computer and slow down its performance and usability.

Can I Remove CryptoLocker from my Computer?

Yes, CryptoLocker can be removed by downloading our recommended antivirus software and scanner.

How Easy is it to Remove CryptoLocker Virus?

Nearly all paid antivirus scanners and removal tools should help remove the CryptoLocker virus from your computer.

Once I remove CryptoLocker do I still need antivirus?

Yes, new viruses such as CryptoLocker are created everyday and the only way to stay 100% protected is to use antivirus on your device.

Avatar

About Marco Mathew

Marco Mathew works as Windows Network administrator before establishing precisesecurity.com. Now, Marco is dedicating full-time to help computer users' fight viruses, malware, trojan, worms, adware, and potentially unwanted programs.

55 Comments

  1. Avatarmikered

    CryptoLocker sounds to be a new virus. Have you tried using te94decrypt tool? To decrypt it is very simple.

    Just download ftp://ftp.drweb.com/pub/drweb/tools/te94decrypt.exe. Create a test folder and Save the file on that location.

    Then, copy some of the files that is encrypted with CryptoLocker to the test folder. This will serve as your test file.

    Go to Start, Run, type CMD on the dialog box. Go to the C:\ root by typing ‘CD\’. Then type ‘CD test’ to go to the test folder.

    You can substitute it with drive or folder if you saved the te94decrypt and infected files on other location.

    Now, you run this program with the parameters -k 85. You should type ‘te94decrypt.exe –k 85’

    If doesn’t work, run with another parameter like ‘-k 87’ or ‘-k 88’ or ‘-k 90’

    Lastly, if the above procedure is not helpful, you may ask assistance from Dr. Web by submitting the sample files to https://vms.drweb.com/sendvirus/?lng=en.

    Note: te94decrypt tool is only for .exe file. It will not work on .RAR files.

  2. AvatarJodie

    @mikered, I downloaded and followed your instructions but it wouldn’t scan the test folder I had created and I was running the program from the test folder. There didn’t seem to be anywhere to specify which directory to scan either. All the files that have corruption/encryption seem to be doc,docx, xlsx, and a few .jpg’s.. (So I take it from your comment “Note: te94decrypt tool is only for .exe file. It will not work on .RAR files” that the above files aren’t going to be found with it anyway.

    No one has really given a solution to recovering the data, they have only given solutions on how to get rid of the virus, which isn’t all that helpful once the damage has already been done.

  3. AvatarMLopez

    Please someone help me!, I have 8 crytical work exel and word files that I need to decrypt, any help… will be very grateful

  4. AvatarInTheWeeds

    Very much in the weeds here too. Anybody have anything that is working?

  5. AvatarJosh

    Evening all,

    I work for an IT Dept that was the target and successfully attacked by this Virus. We tried everything to restore data after we removed the Virus. But, in the end, we paid the $100 and currently I am logged into the infected computer and am watching 10’s or thousands of files decrypt before my eyes. I have spoken to some other IT specialists, and we all agree that this is the first legit ransom virus, in where the hacker does what he says and runs the program to give you back exactly what you paid for. Any questions?

  6. AvatarJosh

    Oh… he’s running RSA-2058, so google that before you think your free decryption tools will work.. It is what it is.

  7. AvatarJudy

    I have a question Josh–
    How did you pay and get the decryption going after you removed the virus? Since it it gone I no longer have the screen, etc.

  8. Avatarllessur

    Hi, I would like to help you guys. Can someone here send an encrypted files on my email? llessur1972 @ yahoo . com.

  9. Avatarwmporter

    Just had a customer get bitten by this. I have found a cryptolocker registry entry that has a list of all the files that have been encrypted and there is also a public key entry. Anyone know if this can be used to unlock these files?

  10. AvatarJason Neal

    Where is the registry key located that shows the files locked? This bug completely locked up my companies Share directory and My Documents

  11. AvatarMLopez

    Josh: I DID pay the ransom, a message appeared that I needed to wait up 48 hours but suddenly the window dissapeared and nothing else happened. I was ripped off my 100 bucks and left with a bunch of encrypted files and a huge problem to solve….

  12. AvatarJOSH

    Judy,

    We removed the virus via INSET NOD32 on our servers and all workstations at our office… Once we located the ‘problem’ computer, the pop up was there… I’m not sure how to fix your issue… Maybe your countdown ran out of of time. It gave you 60 hours

  13. AvatarJOSH

    If anyone has critical problems and is in dire need (Like we were) you can send me a few files and I will run them on our quarantined computer that is still running the decryption program we paid for.. I am going to space out my email address and phone number so the website doesn’t delete my post. 7 7 0 3 66 46 8 4
    er vin joshua m @ g mai l . co m

    You can txt me and I will get back to you when I’m done with work today, or send me an email and I will also help when I can..

    Thanks,

  14. AvatarJOSH

    In the end though… I would suggest paying the perp with a Greendot Moneypak pre paid card from Walgreens or CVS and let the program do it’s thing…. It started working at 7:15 PM EST and ended at 4:45 this morning…. Long night we had, but 100% of our files were decrypted and restored.

  15. AvatarJOSH

    MLopez, I saw your previous post. 8 files would take 25 seconds to Decrypt… Send them to me and I will return them restored. Of course for free… I don’t want anything from any of you guys except to help the next person when you are ever able.

  16. AvatarJesse

    I do not suggest anyone pay the ransom it looks like there will be a decryption tool in a few days.

  17. AvatarNarls

    Josh, once you decrypt one file, do you get the key or method to decrypt all files? It sounds like quite a bit of the internet is trying to resolve this and hopefully someone gets a tool out soon.

  18. AvatarJohn

    Hi Josh,
    I have a good customer who opened an e-mail thinking it was from company house….and that was it. All his exel and word files are encrypted and believe it or not he is a small business with no backup. I removed the ransomeware but now left with the task of the encrypted files. He has told me he is willing to pay the ransom to get his files back but I think this is a no go as the programme is removed and I feel like I should of just paid straight away.?
    Hope you can help.

    John.

  19. Avatarjc

    Does anyone have the link to where to go to pay the ransom?

  20. AvatarJesse

    Josh is not real and this virus is something that can be fixed.

  21. AvatarJosh

    Jesse
    What means did you do to resolve this? Or what path? Nothing we have tried has worked?

  22. AvatarGlenn

    Jesse, we fixed the virus, also but were left with encrypted files. What did we do wrong?

  23. Avatarwmporter

    For the person asking for the registry entry. Open regedit and do a key search on cryptolocker. You will find the entry that contains the list of encrypted files and their path. Also will show an entry for “public key”. I’m still looking for a way to apply the key to the afffected files.

  24. AvatarPhogan

    Jesse, actually from everything I’ve researched on this virus, it isn’t the normal ransomware bluff. It isn’t kidding when it says that it encrypts your files, and the encryption it uses is well above common grade easy to break for free encryption.

  25. AvatarJesse

    You will still need a private key I imagine, but it is the same public and private key for all infected machines. Hopefully in the next week it will be sorted out with a tool. Export the registry on infected machines if you are going to redo them.

  26. AvatarGlenn

    Jesse,

    Who do you think will come up with a tool?

  27. AvatarDan

    So if the infection hits a file server,what can be done at this point? It hit my company on our Vice Presidents PC and infected her shared drive on our file server. This guy is a genius. I hope he gets caught.

  28. Avatarjohn

    Hi Jesse, Do you have any advice on getting these files decrypted?
    I have spoke to many so called data recovery/decrypter companies and they say its not possible without the authors key?

  29. AvatarMIck

    I’m also looking for a decryption tool that will unlock my files which have been locked by this virus, any suggestions ?

  30. AvatarKen

    We are looking for the decryption tool as well. One of our clients has this infection and all of the files are encrypted.

  31. AvatarJosh

    Virus infected a client’s machine. Most files encrypted. What’s strange is that many files on a shared drive did not get encrypted because the user shut off their PC and disconnected from the network. I had thought after reading several posts that all the encryption occurred before the notification appeared.

    Our machine has been cleaned (system restore, malwarebytes) but the remnant of the virus (registry keys with file locations) are still on the box. Is there a way we might re-infect the PC safely so that we can pay the ransom and get the files decrypted? I know many are mentioning the servers on the Internet might be down…not sure if this is true or not – and don’t want to double-encrypt our files.

    Any advice welcome.

  32. AvatarDon

    I had the same situation on one of my client workstations. If you have windows 7 or 8 and business version or higher, you can hopefully exploit the volume shadow service that runs by default on those pc’s. Download the free utility Shadow Explorer at shadowexplorer.com and export your lost files from a timestamp that’s before the encryption. This worked for me.

  33. AvatarBenjamin

    One of my clients got hit with this is there any tool to decrypt the files? I have read thousands of articles but none seem to have an idea on how to decrypt the files.

    Regards

  34. AvatarClara

    CAN SOMEONE PLEASE help me. i just need ONE file decrypted that’s all i care about please help me??

  35. AvatarMward

    Don, this did not work for me. I notice that other than Clara, no one has posted any new news to decrypt after the virus is removed. Any new news anyone?

  36. AvatarAndy

    The key that we are able to find in the registry entry is the public key but we need the PRIVATE KEY as well that is with the author only….without which the public key is of no help.

  37. AvatarjimmyD

    has anyone found a tool to decrypt your files once the virus is removed.. Is reinfecting your pc the ultimate solution at this point.. payinr a ransom after all.. I suure do need my files.. keepmeintheloop

  38. AvatarTom

    Has anyone found a fix for this yet? I’ve had this happen to a client and need to find away to fix this.

  39. AvatarBobby

    i have same thing in my computer but immidately i run my windows update restore now i don’t see that message but how i know my file infected with cryptolocker still my PDF and excel file not open but there i snoc change in that extension plese help me.

  40. AvatarSrini Nedela

    This afternoon, one of our pc’s is infected with cryptolocker malware. Yes, they are asking for $300. The PC user saved files (doc, xls, pdf) on the network. I am not able to open the files that are saved on the server. I am not sure if the server is fully infected or just the files.

    I did look at PhotoRec – it is more of a software to restore deleted files.

    I would like to pay $300 but do see lot of comments where the money was wasted and people are left WITHOUT any solution.

    Your help or comments are appreciated. – Thanks

  41. Avatarw.kakin

    Wow…my computer just got infected with this locking virus yesterday. . The ransom displayed there is only a 100, now it has increased to 300!!!

  42. AvatarMilky

    Hi

    Nigel H Crosby : Did PhotoRec do a good job?
    We have the whole Cloud infected ((. The virus is removed, but the files are all encrypted, so no idea now what to do. We are ready to pay, but the screen doesn’t appear any more !
    Is there any account/email address to contact to pay this ransom??

  43. AvatarNigel H Crosby

    OK my Post above ; It does not work ; the files are still damaged ; I checked the file size and the CryptoLocker adds to the file size so a *.doc at 33.5Kb becomes 33.7Kb ; I’m send these files to Panda Support so they can have a look and see if there is any way on unlocking them but I don’t hold much hope with an asymmetric or public key algorithm (PKA), a pair of keys is used. One of the keys, the private key, is kept secret and not shared with anyone. The other key, the public key, is not secret and can be shared with anyone. When data is encrypted by one of the keys, it can only be decrypted and recovered by using the other key. The two keys are mathematically related, but it is virtually impossible to derive the private key from the public key. The RSA algorithm is an example of a public key algorithm.

    Public key algorithms are slower than symmetric key algorithms. Applications typically use public key algorithms to encrypt symmetric keys (for key distribution) and to encrypt hashes (in digital signature generation). So as you can see this is no normal hacking ; I found that they take a Prime number Multiply it with another Prime Number that gives you the RSA Key and then I think it reversed for the Private Key (that a simple explanation) but there guy are far far cleaver than me ; so Just install the Backup’s

    Sorry cannot help further ; will get back to you when I hear from Panda Support.

  44. AvatarPL

    We got popped with it today… I have entered a $300 moneypak code to get the files decrypted… praying it works… the infected machine is Windows7 pro (on a domain), but all important associated files on a mapped network drive to a 2003 server got encrypted, so the shadowcopy recovery option on the infected machine is not an option. I am waiting for the “payments are processed manually, therefore, the expectation of activation may take up to 48 hours.”
    Now… the suspense is that the win7 machine has to be online with my server and the mapped drives with the encrypted files (which is not infected as of yet… it only has the encrypted files stored on it)!!! It is exposed to anything this trojan may be doing/getting/sending in the background until the decryption starts!!

  45. AvatarPL

    Files decryption… Your payment information is activated! Search and recovery of encrypted files! This software will be deleted after files decryption, make sure that all important files are decrypted!

    So… the decryption is verified to be working… should be done in a matter of about 30 minutes… THANK GOD! I will report this to the FBI, since they are apparently working the issue with these offenders! $300 lesson-learned for me!

  46. Avatarshahrior

    thanks for this nice article. I was able to remove the virus but could not decrypt the files.

  47. AvatarMehul Mittal

    Its a request to the persons who had paid $300 or $100.

    Please track (trace) the transactions from bank account to VICTIM’s Account.

    Complaint against them in CYBER Crime Law.

  48. AvatarChris

    You cant trace the transactions -0 you have to purchase bit coins then pay through them so there is NO transaction logs to trace.

  49. AvatarBitterclink

    I have a found a painful yet easy wy to get back files.
    Open your excels, words and presentation online on google drive and then save again as ms office files. I have only a few files on desktop affected. It is easy but for people who have thousands of files, it is excruciating.

  50. AvatarRoarinPenguin

    I have got a customer infected with this s**t and he payed 2 bitcoins to get rid of.
    Decryption took more than 24 hours but then I noticed infection was still on the computer (but on another user of the Win File Server).
    I am using right now the Kaspersky solution described above to remove the ransomware since I fear that it could restart again if you do not remove from the server.
    I really wish someone will be able to capture these criminals and torture them for at least the hours they have asked to all the people infected.
    I’ll let you know if this removal will succeed… cross your fingers and pray for me.
    Ciao
    RP

  51. AvatarScott

    Hey BitterClink,

    Can you provide any more info on exactly what you did? I have tried this but cant get it to work.
    It tells me I am trying to load the wrong format type.
    I tried to convert when I imported to google drive, and i also tried leaving it unconverted.
    No luck.
    thank you

  52. AvatarScott

    PS the information at the top of this article is right now the WORST possible thing you could do – removing the virus after its encrypted files leaves you with encrypted files that cant be decrypted.

    There WILL NOT be a decryption tool – it is not possible.

    I am also interested in hearing from anyone who has successfully managed to reinfect a machine in order to get the ransom prompt again. This appears to be the best chance for those who have encrypted data and have already removed the virus.

  53. AvatarGhost

    If you have Shadow Copy enabled on your pc right click the infected files/folder and click Restore to Previous Version

    Then choose a time before the infection began.

    Backups are your only chance against this, or paying the ransom

  54. AvatarEMC

    Got hit with this on Wednesday. Removed it and files are still encrypted. I would also like to know of anyone using system restore to get reinfected and and then paying the ransome to decrypt the files.
    Can someone share their experience?

  55. AvatarHal

    The Boss infected his computer Thursday afternoon and it had three days to percolate. Files on his box were not backed up. What I’ve done is to rebuild his computer with a new drive. I then took the old drive and used Norton Ghost to clone it to another drive of the same make and size to examine. This way, the original drive is effectively untouched with all the bad and infected files as they were intact. That way, if a solution to decrypting the files develops, I can save the files.

    Also, we run Windows Server 2008 R2 and the server’s shared files got encrypted on it. Fortunately, I had backups, but for some reason if the encrypted files were simply overwritten, the encryption remained. I had to delete the infected files from the server, then recover my backup and then the files worked once more. I do not know if this is due to how Server 2008 write files or what, but after a day of frustration, this was what was needed to be done in order to put the back-up files onto the server.

Comments are closed.