Windows 10: Encryption of personal files with CTB-Locker

https://www.pcrisk.com/removal-guide...ncrypted-virus

So my friend has this problem and i would like to give him good advice.

Anyone here that had this problem before?

My friend is on Windows 10.

Thanks

jeff

:)

 

CTB Unlocker

Please look up at Windows Defender's History tab for detection and action taken for this threat.



CTB-Locker ransom note

A repository of all current knowledge regarding the CTB-Locker
(aka
Critroni - Microsoft detection) Ransomware is provided in this

CTB Locker and Critroni Ransomware Information Guide and FAQ (courtesy of bleepingcomputer.com).

Reading that Guide will help you understand what CTB-Locker does, and provide information for how to deal with it.

Also see:

-
New CTB Locker campaign underway increased ransom timer and localization changes

-
CTB-Locker Ransomware Support and Help Topic

A list of some related threads on our Community is found
here.

Windows Defender on Windows 10 might have detected and removed the main infection, but was/is unable to recover your files (no RTP program can do at this time).

Unfortunately, there is no 'free' decryption tool available 'at this time (situation described in BC's Information Guide above has not changed)', and since there is no known way to retrieve the private key that can be used to decrypt your files without paying
the ransom (NOT recommended!), the only realistic way you can restore your data is from a previous external backup. If you have been performing regular backups, then
you should use your backups to restore your data.

As with most ransomware infections, the best solution for dealing with encrypted data is to
restore from backups. Please note that CTB-Locker shall delete your Shadow Volume Copies so that you cannot restore your files via System Restore or using a program like

Shadow Explorer... but it never hurts to try, so as to check in case the ransomware failed to do everything it's supposed to do.

While Restoring from backups may be your only choice
at this point, unless you get lucky with recovery software such as
Recuva, R-Studio, or

PhotoRec - always at least worth a try... please note that the encrypted files themselves aren't a threat, since they do not hold the malicious encrypting executable in them. They are just encrypted.

So if you have unsuccessfully tried recovery software mentioned above to restore your files, or couldn't recover them all from a recent - prior to infection - external backup (as it's the

first and best method to restore your data), or if there wasn't any at all; it is always recommended to
backup the encrypted files and save them on an external storage media (like an external HDD)
'as-they-are' and leave them be in hopes of a solution in the future (if one is ever found).

If there are any break-throughs, and/or when/if a solution is discovered, be assured that information will be provided in this related
support topic (and you shall receive a notification if subscribed
to it) and/or a new news article be published at BC's news section.

Regret we can not be of much help this time, and appreciate your taking the time to report this instance and for any future feedback you may wish to share with us about your not-so-nice experience with this nasty one. Please keep us posted. Your participation
is important to our Community.

Best Wishes!

=========

-Tip: Please AVOID searching the Web for malware removal and decrypting tools for this (or any other) crypto-malware infection. You will only find 'scammers' and 'untrustworthy sites' offering 'fake
or dubious' tools that will only grant you an additional headache (or worse).

Please see:
Affiliate Spam is not only Annoying but can offer Costly Advice

=========================================================

You can also help spread the word so that others may contribute to:

Help BleepingComputer Defend Freedom of Speech!

=========================================================

 

CTB Unlocker

How much do they want?

Start here:

• CTB Locker and Critroni Ransomware Information Guide and FAQ
  
  CTB-Locker and Critroni Ransomware Information Guide and FAQ
  

 

Looks like your link is good advice. Remove the virus and restore your files from backup. If you haven't any backup you have to decide whether to risk paying the ransom or not as you can't decrypt the files. I wouldn't pay for sure.

 

Well Halasz,

He did take B-U's on another computer which is infected too.......

He also bought already another drive where everything has to be put on again, except his photo's of his children, which are gone.

Does not want to take the risk, that even formatting the drive would not erase everything.

Even System Restore did not work.

Jeff

 

That is really unfortunate. System restore wouldn't work, no - restore points only hold OS data - not backups of personal files. I'm afraid that there isn't really a solution. You wouldn't want your name on their list of people who pay ransoms I don't think.

 

Well Halasz,

i have enough back-ups taken everyday to avoid that.

But my friend did only take one....

It was a long shot to ask it , since he already had taken his pc to a store and they could not help him either.

But thanks

Jeff

 

Hi.
Here are instructions for removing CTB Locker.

Please be absolutely sure this is what you have, and not some other encryption software, because some of them have been cracked, and people have been able to get their files back without paying.

I would not pay any ransom. There is a good chance that you will just lose the money.

Please have your friend backup his encrypted files/photos to a spare drive and store it away, in case something breaks in the future. Find the threads at BleepingComputer which address his particular infection, read them thoroughly, and subscribe to them for future updates.

Install CryptoPrevent to help thwart these encryption infections in the future, in addition to your normal anti-virus.

 

It appears that when CTB Locker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can may be able to use a file recovery software such as R-Studio or Photorec to recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.

 

Thanks Simrick,

yes i told him to use an external USB drive AND a USB-stick. He can plug in the stick, take the B-U, remove the stick.

So then he has 2 B-U's. He can let the B-U program run, to put his photo's and so one on the server he has. This as an extra.

No he is not going to pay and he showed me the problem.
It is the CBT Locker.


They should put them in jail for that.

Jeff

 

Hi Jeff,
Did you see the info in my post #7 above? He may be able to run a file recovery program to get some of his deleted files back. It's worth a shot.

Yeah, these rats should be in jail! *Mad

 

Not that it helps now, but in the future consider making a system image on a regular basis & keep it on an external drive that is not always connected to the PC/Laptop. Locker viruses are widespread now & the a system image is a good safeguard. Keep 3 or 4 prior backups in case you inadvertently make one with a virus.

System Image - Create in Windows 10 - Windows 10 Forums

Even if you do pay the ransom, there is no guarantee you will get the decryption key.

 

I did not offer him, because i do not think he still uses that drive, but i inform him and then it is his choice.

He told me that the drive would no longer be used, because he fears that not everything will be removed and then ....you know....


Jeff

 

If you change your local group policy to not run programs from %localapppdata% you'll stop the current batch. Perhaps.