Remove CryptoLocker Virus

CryptoLocker is a virus, Trojan, or malware on one code that attempts to seek money from computer users. This kind or computer infection can be considered as ransomware. However, it will not lock the computer and demands for payment to obtain the unlock code. CryptoLocker encrypts entire files on the infected computer and requires user to get the private key that is needed for decryption. What also differentiates CryptoLocker from other ransom virus is its time-based destruction of key. Failure to pay the private key on specified time will destroy the key from the server. It simply means, there is no way that you can unlock all affected files on the computer.

CryptoLocker message states the following:

“Your personal files are encrypted! 

Your important files encryption produces on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files, you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USB / 100EUR / similar amount in another currency.
Click Next to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.”

Image of CryptoLocker ransom note

As you can see, author of CryptoLocker virus intends to collect money by locking files on the infected computer. Whether or not the content of the window is true, we still do not encourage paying for the private key to be able to resolve the issue. First you need to remove CryptoLocker from the computer. Then, decrypt all files with valid tools.

Other Detections:

Different anti-virus and anti-malware programs may name this threat according to their patterns. Here are some detection names: Trojan.Cryptolocker.F

Backup your files

One important step before proceeding with the procedures below is to backup your files. Ransomware are not the same. Each has its unique sets of payloads aside from encrypting the files with complex method. Others tend to delete the infected files after certain period, while others keep them concealed on hidden places. In addition, ransomware decryption tools are not guaranteed to be perfect, there are instances that files suffer from damages during the decryption process.

So, create a backup copy of your entire CryptoLocker encrypted files right now.

CryptoLocker Ransomware Removal Guide

First thing to do is remove the CryptoLocker virus before attempting the decryption. Remember that as long as the ransomware is active, it will repeatedly encrypt the files on the compromised computer.

Infection of CryptoLocker ransom virus is dangerous to the system because it can inject files that runs each time Windows starts. To prevent the malicious files from loading, Windows operating system must run with minimal process and it can be done through SafeMode With Networking.

Stage 1 : Temporarily Disable System Restore on Windows OS

Because CryptoLocker and relevant virus is capable of reinstating itself by exploiting the System Restore of Windows, we suggests that you temporary disable System Restore while executing the steps. This option is also helpful to effectively run a full scan on the computer.

Do not forget to enable back System Restore after completing the removal of CryptoLocker ransomware. This feature is vital in reinstating the operating system to previous normal working condition in case of problems or conflicts occurs.

Stage 2 : Start Windows in Safe Mode With Networking

Windows 10 Guide

1. Click on Windows logo and select Power icon when options pop-ups.
2. Select Restart from the options while pressing Shift key on the keyboard.
3. Choose an Option window will appear, select the Troubleshoot button.
4. On next window, please choose Advanced Option.
5. On Advanced Option window, click on Startup Settings and then, click Restart button to reboot the computer.
6. When Windows boot on Startup Settings, press function key F5 or number 5 on keyboard.

A simpler alternative for Windows 10 users is to scan the computer with Microsoft Defender Offline. This will run a virus scan in the recovery environment.

Windows 8 Guide

1. Click Windows Start icon at the lower left section of the screen.
2. Open Search window and type Advanced in the field. It will open General PC Settings.
3. Click on Advanced Startup and then, click on Restart Now button.
4. Once the computer starts in Advanced Startup option menu, select Troubleshoot.
5. Next, click on Advanced Options to reveal the next section.
6. Click Startup settings and then, click Restart button to boot the PC in Startup Settings.
7. Use function key F5 or number key 5 to Enable Safe Mode with Networking.

Stage 3 : Scan the Computer with Anti-Malware Tool

Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove CryptoLocker virus. Aside from our suggested tool, you may also run your own security program.

To remove CryptoLocker automatically, scanning the computer with this efficient anti-malware tool is suggested. This scanner does not just uncover known threats like viruses or malware, it is also effective in discovering hazardous ransomware like CryptoLocker.

1. Download free anti-malware scanner called MalwareBytes Anti-Malware.

2. After downloading, install the program. It may run automatically or you have to double-click on the downloaded file MBSetup.exe.

3. Carry out the installation with default setup process.

4. After the installation process, click the Get Started button to launch the program.

5. Continue with the prompts until the main program opens.

6. On the main console, click on Scan to run most complete detection method to find hidden objects associated to CryptoLocker ransomware.

7. Scanning may take a while. Please wait until the anti-malware tool is done with the checking.

MBAM Scan

8. Once the scan has completed, the tool will display the list of detected threats. Remove all identified malicious items and restart the computer if necessary.

Stage 4 : Double-check with Microsoft's Malicious Software Removal Tool

1. Download the free scanner called Malicious Software Removal Tool.

Download MSRT

2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.

3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for CryptoLocker ransomware. Another option is to browse the location folder and double click on the file to run.

MSRT Icon

4. The tool will display Welcome screen, click Next. Please note the message "This tool is not a replacement for an antivirus product." You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.

MSRT Welcome

5. Next, you will see Scan Type. Please choose Full Scan to ensure that all CryptoLocker ransom virus entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.

MSRT Scan

6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.

MSRT Scan

7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.

8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that CryptoLocker ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.

Recover Files from CryptoLocker Ransomware Infection

On this section, we will provide ways to decrypt files infected with CryptoLocker ransomware. Aside from dedicated decryption software and common tools, other options for file recovery are provided. As much as we can, we will update this area whenever there is new and more suitable decryption tool was made available.

Decrypting CryptoLocker infected files with Emsisoft Tools

This service from Emsisoft is helpful in unlocking encrypted files without paying the ransom. It gives three ways to detect the ransomware and provide suitable recovery method:

Upload ransom note – This is usually the .txt or .hta files that was generated by CryptoLocker ransomware.

Upload the encrypted file – The actual encrypted file. Choose the one that is less than 8MB in size.

Contact information – Enter the email address or any links provided as it appears in the ransom note of CryptoLocker virus.

Emsisoft Tools

After submitting any of the appropriate data, Emsisoft will attempt to identify the ransomware and provide keys if there are available.

Option 1: Windows Previous Version Tool

Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to ransomware infection. To use this tool as "recovery option" for files encypted by CryptoLocker virus, please follow these steps:

1. Open My Computer or Windows Explorer.

2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.

3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current locked files on the computer. The tool is not actually recovering files encrypted by CryptoLocker. Instead, it restores files from backup copy.

Option 2: Use ShadowExplorer to restore files encrypted by CryptoLocker Ransomware

Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by CryptoLocker ransomware.

1. Download ShadowExplorer from the official web site.

2. Install the program with the default settings.

3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.

4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to CryptoLocker ransomware infection.

shadow3

5. Right-click on the Drive, Folder, or File you wish to restore and click Export...

6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.

How to protect the computer from CryptoLocker ransomware?

After the removal of the ransomware, it is important to prevent similar incident from happening again. In order to protect the computer effectively, computer user must know how CryptoLocker ransomware was able to infect the computer. To minimize the possible infection, staying away from the common sources of this virus is crucial.

How CryptoLocker ransomware can infect your computer?

The method of infecting the computers was found to be similar as other common viruses. Though, ransomware like CryptoLocker is seen to have efficient deployment via spam email messages, web injectors, malicious software installers, misleading online advertisements, and through another virus infection.

Once the virus is executed, it immediately infects the system. Then, CryptoLocker ransomware communicates to remote server so that unique key can be generated for the specific computer. After acquiring the key, it starts to decrypt target files using a complex method that is almost unbreakable. On the last stage of the attack, CryptoLocker ransomware demands for ransom money as payment for the decryption tool. To further understand the attack scheme, we have included an infographic below.

Infographic image of ransomware attack stages
You can print, download, or share the infographic by clicking the image.

Securing the computer against ransomware attack

Do a Regular File Back-up - Always backup your data on a separate storage devices such as external hard drives, optical discs, or online backup services.

Keep Your Software Updated - Make sure that you have the latest software updates especially on the operating system. Recent updates often contain vital security patches to help protect the computer against all forms of threats.

Install a Security Program - Protect the computer with effective anti-virus application using efficient real-time scanning. Regularly run a complete scan to check the computer for presence of malware.

Protect your files with Controlled Folder Access (Windows 10)

For Windows 10 users, aside from protecting the computer using anti-virus or anti-malware programs, one way to protect against ransomware attack is by using Controlled Folder Access. This feature of Windows Defender Security Center may not prevent the CryptoLocker ransomware infection, but it can protect the folder and files in general. Follow the steps to enable Controlled Folder Access in Windows 10.

1. Go to Windows 10 Taskbar and search for Windows Defender Security Center.

2. Open Windows Defender Security Center and click on Virus & Threat Protection icon.

Virus and Threat Protection

3. On next window, please click on Ransomware Protection.

4. Under Controlled Folder Access section, switch the slider to On. That will enable the feature and protect the folder against CryptoLocker or any type of ransomware.

Controlled Folder Access

5. Click on Protected Folderslink to include additional folders. Make sure that folders where important files are located should be included in the list.

Add Protected Folder

Troubleshooting Guide

Certain programs maybe blocked by Controlled Folder Access feature. To fix the issue, simply have the specific program to be white listed.

1. Under Protected Folders, click Allow an app through controlled folder access.

2. Next, click the Add an allowed app and include the target executable file.

This Controlled Folder Access feature is one way to protect files against CryptoLocker. Other important things to do in keeping files safe against ransomware is through early prevention like keeping programs updated, install an efficient security program, an do regular file backup on a separate media drive.

Share & Recommend

About the author

47 thoughts on “Remove CryptoLocker Virus”

  1. what is the deal with the key? Your example shows a key, when i run the program no key is present. What are you doing to try and identify the correct key? or should the program do this on its own.

  2. I have some friends who are currently trying to recover their files from CryptoLocker virus infection. So far, they are still trying various decryption tools. They have managed to remove the CryptoLocker from their computer; however, files are remained encrypted.

    I still do not know if removing files and registry entries dropped by CryptoLocker will be able to help. So far, here are what I have found:

    CryptoLocker Files:
    C:\WINDOWS\system32\msctfime.ime
    C:\Documents and Settings\User\Application Data\{DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe
    C:\DOCUME~1\User\LOCALS~1\Temp\CryptoLocker.exe
    C:\WINDOWS\system32\rsaenh.dll

    CryptoLocker Registry Entries:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
    HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = “CryptoLocker.exe”
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    HKEY_CURRENT_USER\Software\CryptoLocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)

  3. Hey,

    We were hit with this on 09/09. It was on 1 pc that happens to be a part of a shared drive that is for or warehouse and encrypted all the docs and apps for the drive and server. Will this work?

  4. this is not working at all for my client. Same situation, hit one machine, then spread through the network… Decryptor says no files are encrypted but they were all affected by the CryptoLocker.exe ransomware.

    Please help!!!

  5. We have seen this several times this week at our company. You can not decrypt the files without the private key which is stored on the hacker’s servers. That panda tool will not be able to do it. you can use a tool called shadow explorer which may help you as long as you have system protection turned on.

  6. Hi, I have this Cryptolocker on my PC that shares files on Drop box which seem we cannot open. Can this program clean the trojan off the drop box? I am in the middle of cleaning the first phase of ESAT Rogue.

  7. I have the same problem, hit one pc and drop box server. Panda did not decrypt the file nor did shadow explorer. Can someone please HELP !

  8. Hit our Church, I have not found an answer – panda and shadow copy did not work, it had disabled my ability to restore to a restore point – This is a beast – any help is appreciated.

  9. Correct the Panda tool can not decrypt the files. Your only hope is to to use shadow explorer which definitely works as long as you have system restore points enabled….the key is to remove the virus before you run shadow explorer. We have successfully restored files with it.

  10. Yes Shadow copy works. I think I’ll be cleaned in another hour.
    Thanks for post all of this.

  11. Helmut Reinhardt

    We have this same CRYPTOLOCKER it hit us about 5am this morning, and encrypted 2 network drives, resulting in about 112,000 files being encrypted.
    Pandaunransom.exe didn’t do anything – looks like panda needs the decrypt key.

  12. We have 3 PC’s (All Win 7 64bit running Trend Micro Office Scan Client 10.5 AV) infected with CryptoLocker. We managed to remove the virus with Malwarebytes, Hijack This and physical deletion of Virus files but again all local files were left encrypted. We think this was contracted from opening an email supposedly from FedEx.

    I have asked Trend for advice but it is not looking hopeful of salvaging local files thankfully shared drives haven’t been infected (yet).

  13. We were hit on 25th and it has taken several times to remove the bulk of this virus still awaiting on Avast remover. It seems to be working. Pt has been an extreme hassle and it seems to come out into only one email via an Intuit spam email. Again use your virus blocker more often than usual it helps in keeping the systems up on new viruses. I’ll post tomorrow how we fair in our offices.

  14. We were hit on 9/28. Anyone able to decrypt the files? I don’t have a current backup

  15. I can’t seem to see any difference (files I can’t get to or are corrupt), but I got that nasty message! I have removed CryptoLocker from my computer, what would happen if I used system restore to go back to before this happened?

  16. Best option is to reinstall OS from an image created before the virus has hit your system. I have done this on an infected computer and it works great. It is very important to back up your system to an offsite drive. I run a new image every week on my systems and delete the older images. This way I will only loose a weeks worth of data. This is the only thing that I have found that works reliably every time.

  17. Guruthesecond

    We were hit two days ago. It only affected one computer but since she was mapped to all the shares, they are all encrypted. We’ve finally agreed to pay the ransom I’m just concerned because I read on another thread how payment had been blocked and we may never get our files back.

  18. Any of this methods are not going to be successful, instead all are going to stuck with the same problem. What is the possible way to remove this thing. Please help!

  19. Cherrelyn Joy Moreno

    Thank you very much for this information though the decryption process didn’t work but the CyrptoLocker Virus was gone.. Thank you very much. A million Thanks to you.

  20. Guruthesecond,

    Did paying the fee get you the private key and allow you to decrypt the files again? I have an end user client whose business files were all encrypted on the network share and is desperate for a resolution. Before I clean the malware, I want to know if this solution is valid. Ransom true, but when the client needs the files, a ransom is better than nothing. The infected PC is off the network and isolated right now.

    PEACE

  21. You MAY fix the encrypted files by paying the money, supposedly, they will send the decryption key and it does work. It does take a while, I think one site said about 5gb per hour, but don’t wait too long looking for a solution that doesn’t come. If you don’t have backups and you need these files, once that timer goes reaches zero, the key is destroyed and your files are pretty much forever encrypted. Best thing to do is kill the drive, start fresh from your back ups. System restore will do nothing for you as System restore does nothing to change the files this particular variant is designed to encrypt, only system files and Windows start up files. Your computer will work fine, but you won’t be able to open the extensions mentioned in the above link until they are decrypted or removed and restored from backup. Make sure you remove the virus before restoring from backup, otherwise it would be redundant.

    We had the issue yesterday on one of our user computers. She opened an attachment, that’s all it took. Not only did it encrypt all files on her desktop, any user directory she had connected to our server where she had write privy, were also encrypted. Spent the better half of the night last night weeding through directories and files, deleting encrypted files and restoring from backups.

    Take note, as long as her computer was on the network and had write access to the server, every time I would replace an encrypted file on the server, it would encrypt the restored almost simultaneously, fortunately she just had write access to her own user directory and a community directory that is used to share files, no access to any system or admin files. Make sure you remove the infected computer totally off the network before trying to resolve and restore. Turning it off and rebooting it or trying to remove it won’t destroy the key, the virus itself is easy to remove, but in doing so guarantees your files stay encrypted.

    Nobody wants to pay $300, but its the most guaranteed way you get your files back, its why its called ‘Ransomware’. You can try to beat it, but know that in messing with it you could speed up, or just finalize the process of preventing any way of ever applying the decryption key. This is a fairly new entity and is rarely caught by most AVs and even many Firewalls overlook it, don’t depend alone on your securities. I’ve been the system administrator with my company for over 11 years, and have secured with quad redundancy on every level, but we still got in… Get your users aware of these threats… You can have the most secure house on the block with the most cutting edge alarm system, but if someone opens the door to the thief… Well, doesn’t do any good.

    She had files on her desktop, I told her I’d fix it for $300, other than that, files on her desktop are gone. Backup Backup Backup awareness Backup Backup Backup…

    Best prevention is user awareness.

  22. I have been hit with this nasty piece of work, I completely removed it from my system and just successfully replaced all of the files on the system that had been encrypted using shadow explorer. However the encryption also affected my NAS which was on the same network thus not under the window shadow copy. If anyone know of a decryption tool that works please kindly let us know.

  23. We have been hit with this twice now. Fortunately we have backup processes in place so the loss of data was not a huge problem.

    To remove the software we have used System restore and Malware Bytes. Be sure you do this without the network cable plugged in.. especially if you are on a domain and have access to shares.

    Hopefully someone will find the fix to decrypting the docs, and or finds the culprits and smashes them up.

  24. I got hit by this virus early this week. While I have managed to remove the virus, my files are still encrypted. Need help to decrypt the files. Tried Panda but did not help. Any suggestions?

  25. Thanks God I was able to remove the virus. Thanks a lot for useful information.

  26. Hello,

    I have this virus in every computers. In my network we have 2 servers Windows 2003 and 20 computers Windows XP.

    I am very worried because all of our “.pdf” documents are damaged and we can’t opened them.

    I do not know what to do to recover the pdf documents.

    Any update?

  27. OK Guys, I lose. Please tell me where I can re-infect and pay the ransom and get all my files back.

  28. Hi all,
    I am sorry to be the bearer of bad news but my brother in law has just told me that there is no way you can recover the encrypted files unless you have the decrypt key from Cryptolocker, which definitely does not exist anyway. They are only interested in the unfortunate people who pay the money and then do nothing anyway. My brother in law is a super computer geek and he knows his stuff. In short you won’t get back your files but you can easily remove the virus using Malwarebytes.

  29. I got infected yesterday – not good. Unable to open up word files/ excel files on laptop prior to infection. I have been able to use files received after malware taken off laptop.

    Good news is that all files stored on my ISP both sent and received emails not affected and I am able to restore files as I go along – I have not deleted emails in the last 4 years so have 7300 sent and 10400 received so this should allow me to restore 80%+ of my files so that I can open them / replace the damaged files.

  30. I got infected on 01 OCT 2013. Unable to open up word files/ excel/pdf files on my system. I have been able to use files received after malware taken off system emails not affected both sent and received.

    I do not know what to do to recover the documents.

    Any update?

    From Dr Ram Reddy, Hyderadad, India.

  31. Hello,
    I have this virus in every computers. In my network we have 2 servers Windows 2003 and 20 computers Windows XP.
    I am very worried because all of our PDF documents are damaged and we cannot open them.
    I do not know what to do to recover the PDF documents.
    Any update?

  32. Thank you so much… cryptolocker is gone, but now I can fix my file… panda, shadow explore cant decrypt my file. T.T what can I do? Someone can tell me how to fix it with other program maybe, because that’s my important file.

  33. Senior Level Tech

    Hello. I deal with this infection as well as FBI’s and others on a daily basis. I can tell you that I am MTP certified and have 7 years in Infection removal, in fact I am an infections Specialist with my firm. For starters. Never listen to anyone that tells you to just pay the $300 because it is the only way your files will get decrypted. In actual fact, you can pay the money but you will NOT get your files back.

    When you first see the CryptoLocker screen, it is best to completely shut your PC down immediately and seek out an infection removal expert.

    I find the best way to remove the infection in manually without the use of useless scanners. These scanners will only find part of the infection if any of it at all.

    Here is the most effective and guaranteed removal technique..
    1. Power on the machine
    2. Boot to Safe mode with Networking.
    3. Open Explorer and view hidden files and folders. Check every user, appdata folder under local and roaming. you are looking for a very distinct file that is usually in .dat or .exe extension.
    The name of the file will not be a word, instead, it will be a series of numbers and letters, usually about 13-25 characters long. Once found delete them immediately.

    4. Holding the windows key down press r and type in regedit
    Search local user and local machine/software/Microsoft/windows/windowsNT/Winlogon
    Check the Powershell as well, it should be set at explorer.exe
    Be sure it is not named anything else.

    5. Once you have found the infection and completely removed it from your machine, you will still see the Cryptolocker splash page. This is the easy part.

    6. run MSconfig check for anything out of the norm in startup, usually it will be in .exe extension, uncheck it and click save. DO NOT REBOOT YET!

    On your desktop you will find the image file for the Cryptolocker splash page, delete it and empty the recycle bin.

    Now reboot.

    Ok, now your docs are encrypted, what do you do now…..

    I have the million dollar answer and it has worked 80% of the time. The name of the program is Icare. Such a sweet name and an over all life saver for a lot of people.

    I really hope that you follow my guidelines step by step. If you do, you will conquer this awful Virus and possibly get all of your files back. For free no less.

    You are welcome in advance.

  34. Had a customer infected with this. Paid the ransom and very quickly got decrypt private key. Seems as though hackers will give you the key if you pay up. Customer had backup from previous night, but with the time it takes to restore and rebuild infected laptop, it was quicker and easier to pay up. Laptop had mapped network drives, so spread to half the docs on the network before network cable was pulled from the laptop. The encryption is RSA encryption and would take years to crack. Without the key from the hackers, your only option is backups and hope it doesn’t take long to restore, shadow copy or previous versions enabled.

    If you decide to pay and get the key, the program runs, decrypts the files, then will give you an opportunity to retry and skipped files. Customer had taken a USB drive out, so had to skip those files, then ran again when drive was put back in.

    Once you end the program, it removes itself from the system, so make sure you have run it against all encrypted files. Program remembers exact drive mappings, so if you’ve disconnected drive mappings, you will have to map to the same drive letter as before.

    Then hope no-one else opens up attachments without being certain what they are. This really is a case of once you let the crooks in, you’re at their mercy, unless you have a good backup solution. Once the timer counts down, that’s it, you can’t then decide to pay, but if you’ve paid, the counter will suspend while payment is being verified.

    One other thing – had no luck whatsoever trying to pay by the UK option of bit coins. You can create a wallet, but getting money into that wallet is damn near impossible! Had to get a US contact to pop into a 7 Eleven and buy a Moneypak card, put money on it using PayPal and then send the Moneypak card number to put into the program! You can’t use PayPal or Credit card to fund a bit coin account, so good luck with that!

    Hope additional info helps, as I spent half a day looking into how to pay!!

  35. Mauricio Delgado Robles

    Malware CryptoLocker was removed using both tools, first the Sophos Software and then I check with Malicious Software Removal, but those software just delete the malware, panda doesn’t decrypt the files touched for virus, the only software to fix this was ShadowExplorer, this work very good, quick and effective..

    Regards

    Mauricio

  36. Accountants infected, they Paid via bitcoin from UK (£270) ,(not as easy as it sounds) over 50,000 encrypted files,(xls(x),doc(x) pdf’s, decryption took 12 hours.. seems to have worked (cant test 50,000 files) backups were 5 days old! Maybe now backups might be more important and double clicking any attachment might be thought twice about!

  37. Dear Users,

    I think you should not pay any thing to any one, I have just tried a very simple solution, I just formatted my c drive than I re installed my operating system, after that I have deleted my other drives also, then by using recovery software that is available freely online Ease US I have recovered 80 -90 % of my files and those files are not encrypted or corrupted.

    I think some thing is better that nothing. If any of you can recover files by using my technique than please let me know.

  38. Just got hit with the Malware Cryptolocker. What steps do I need to take to get rid of this?

  39. Searched google for removal of the parasite, but it is very difficult restore your encrypted files.

  40. Another Victim

    I deleted Cyrptolocker virus and went inside the registry keys and folder files to delete all that was associated with the virus. My files still remained locked. The ransom price went up to 1400 USD and my system restore files somehow got deleted.

    I refuse to contribute to terrorists the guy responsible for this virus is name is Evgeniy Bogachev
    Everything about the mastermind behind the Cryptolocker virus is here on this FBI site
    fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev

    I am calling all bounty hunters and anyone else that can locate people, he ruined our computers, and is making profit from it. It’s time to send message to him, and anyone associated with him. If he wants us to pay for his virus he created he has another thing coming to him. FBI is asking for 3 million dollars to find Evgeniy Mikhaylovich Bogachev.

    Happy Hunting, spread this message across the web, time for international man hunt for Evgeniy Mikhaylovich Bogachev the CREATOR of the CRYPTOLOCKER virus (ransomware)

    I rather lose my files, just to see his criminal empire crashing down before him.

Leave a Comment

Your email address will not be published. Required fields are marked *