Remove CryptoLocker Virus

CryptoLocker is a virus, Trojan, or malware on one code that attempts to seek money from computer users. This kind or computer infection can be considered as ransomware. However, it will not lock the computer and demands for payment to obtain the unlock code. CryptoLocker encrypts entire files on the infected computer and requires user to get the private key that is needed for decryption. What also differentiates CryptoLocker from other ransom virus is its time-based destruction of key. Failure to pay the private key on specified time will destroy the key from the server. It simply means, there is no way that you can unlock all affected files on the computer.

CryptoLocker message states the following:

“Your personal files are encrypted! 

Your important files encryption produces on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files, you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USB / 100EUR / similar amount in another currency.
Click Next to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.”

Image of CryptoLocker ransom note

As you can see, author of CryptoLocker virus intends to collect money by locking files on the infected computer. Whether or not the content of the window is true, we still do not encourage paying for the private key to be able to resolve the issue. First you need to remove CryptoLocker from the computer. Then, decrypt all files with valid tools.

Other Detections:

Different anti-virus and anti-malware programs may name this threat according to their patterns. Here are some detection names: Trojan.Cryptolocker.F

Backup your files

One important step before proceeding with the procedures below is to backup your files. Ransomware are not the same. Each has its unique sets of payloads aside from encrypting the files with complex method. Others tend to delete the infected files after certain period, while others keep them concealed on hidden places. In addition, ransomware decryption tools are not guaranteed to be perfect, there are instances that files suffer from damages during the decryption process.

So, create a backup copy of your entire CryptoLocker encrypted files right now.

CryptoLocker Ransomware Removal Guide

First thing to do is remove the CryptoLocker virus before attempting the decryption. Remember that as long as the ransomware is active, it will repeatedly encrypt the files on the compromised computer.

Infection of CryptoLocker ransom virus is dangerous to the system because it can inject files that runs each time Windows starts. To prevent the malicious files from loading, Windows operating system must run with minimal process and it can be done through SafeMode With Networking.

Quick Fix - Scan the PC with Combo Cleaner for Windows

Combo Cleaner is a trusted PC security and optimization tool equipped with powerful virus and malware detection engine. This program can get rid of ransomware like CryptoLocker through this procedure.

1. Download the application from the following page:

2. Save the file to your preferred location.

3. Double-click the downloaded file CCSetup.exe and install with the default settings.

CC for Windows Installation

4. At the end of the setup process, click Finish to run Combo Cleaner.

5. The tool will update the signature file, please wait for this process to complete.

6. To begin checking for threats like CryptoLocker ransomware, click on the Start Scan button. Wait for this scan to finish.

CC for Windows Start Scan

7. At the end of the scan process, click on Remove all threats to delete CryptoLocker ransomware including all malicious objects from the computer.

Free features of Combo Cleaner for Windows include Disk Cleaner, Big Files finder, Duplicate files finder, and Uninstaller. To use antivirus, privacy scanner, and to delete identified threats, users have to upgrade to a premium version.

Please continue with the succeeding removal procedures if your are comfortable to manually get rid of the threat and malicious items linked with it.

Step 1 : Start Windows in Safe Mode With Networking

The method of running Windows in Safe Mode before running a virus scan is effective in getting rid of CryptoLocker. This process can prevent most viruses and malware from loading, making it easier to detect and remove them.

1. On the Windows Search bar, please type msconfig.

Screenshot of MSConfig Command

2. Select and open System Configutation on the list of found results.

3. Once you are in the System Configuration window, go to the Boot tab.

Screenshot of SafeBoot

4. Under the Boot Options area, please check Safe Boot and select Network. This will allow Windows to boot in Safe Mode with Networking.

5. Lastly, click on Apply and OK to save the changes.

6. Please restart Windows.

Do not forget to restore the normal boot process of Windows after running the virus scan. Simply repeat the method above, and this time, uncheck the Safe Boot option to run Windows normally.

Step 2 : Scan the Computer with Sophos Antivirus

Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove CryptoLocker virus. Aside from our suggested tool, you may also run your own security program.

To remove CryptoLocker ransomware automatically, scanning the computer with this efficient anti-malware tool is suggested. This scanner does not just uncover known threats like viruses or malware, it is also effective in discovering hazardous ransomware like CryptoLocker.

1. Download Sophos Virus Removal Tool from the link below. Save the file on your computer where you can easily access it.

2. Once the download completes, browse the location of the file. Double-click to run the program and begin the install process.

3. On first windows of installation wizard, click Next to continue. Then, it will display the program’s License Agreement. You need to Accept the terms in order to proceed. If Windows prompts for User Account Control, please click Yes to proceed.

Screenshot of Sophos EULA Page

4. On succeeding windows, click Next or Continue to carry on with the installation. After completing the installation process, Launch Sophos Virus Removal Tool.

5. Internet connection is required when running this virus scanner in order to download important updates. Make sure that everything is up-to-date to effectively remove CryptoLocker ransomware and other relevant viruses.

6. Click the Start Scanning button to inspect the computer. This will check the system for presence of malicious objects, malware, and viruses. The tool reveals items that were found linked to CryptoLocker ransomware and other suspicious entities. Be sure to remove all identified threats.

Screenshot of Sophos Virus Scan

The above procedures should have totally eliminated CryptoLocker ransomware. However, if you found that there are still remnants of the virus, please proceed to succeeding procedures below.

Step 3 : Double Check with Windows Security Apps

Microsoft Windows has a built-in security application that you can use to double-check if your computer is still infected with CryptoLocker. For Windows 10/11 users, please run Windows Security.

Windows 10 / 11 Instructions:

Windows Security is a free tool that was built to help you remove CryptoLocker, viruses, and other malicious items from Windows 10/11 systems. Follow these procedures to scan your computer with the tool:

1. Tap or click the Search charm, search for Windows Security, and then open the application.

Image of Windows Security Search

2. On the Home tab, click Virus and threat protection from the sidebar.

3. On the main window, click on Scan Options. Then, click on Full Scan button.

Image of Scan Options

4. Lastly, click on the Scan now button to start scanning for the presence of CryptoLocker. The process may take a while to complete.

5. After the scan, Delete/Quarantine identified threats, whether they were relevant to CryptoLocker or not. You may now restart Windows to complete the virus removal process.

For older versions of Windows, you can scan the computer for free with the Microsoft Malicious Software Removal Tool (MSRT 64-Bit). It is a stand-alone virus scanner tool that targets prevalent malware groups.

Recover Files from CryptoLocker Ransomware Infection

On this section, we will provide ways to decrypt files infected with CryptoLocker ransomware. Aside from dedicated decryption software and common tools, other options for file recovery are provided. As much as we can, we will update this area whenever there is new and more suitable decryption tool was made available.

Decrypting CryptoLocker infected files with Emsisoft Tools

This service from Emsisoft is helpful in unlocking encrypted files without paying the ransom. The page provides the list of ransomware decryption tools. All you have to do is look for the specific tool and start recovering the CryptoLocker encrypted file.

Option: Use ShadowExplorer to restore files encrypted by CryptoLocker Ransomware

ShadowExplorer depends on the presence of System Protection on every drive from which you wish to retrieve data. Furthermore, it is crucial that System Protection is enabled prior to any event that requires file recovery. It is worth noting that Windows automatically enables System Protection solely on the system partition (C). 

ShadowExplorer is taking advantage of shadow copy created by Windows system. This tool allows you to retrieve older version of files before it was encrypted by CryptoLocker ransomware.

1. Download ShadowExplorer from the official web site.

2. Install the program with the default settings.

3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.

4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to CryptoLocker ransomware infection.

Screenshot of ShadowExplorer

5. Right-click on the Drive, Folder, or File you wish to restore and click Export...

6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.

How to protect the computer from CryptoLocker ransomware?

After the removal of the ransomware, it is important to prevent similar incident from happening again. In order to protect the computer effectively, computer user must know how CryptoLocker ransomware was able to infect the computer. To minimize the possible infection, staying away from the common sources of this virus is crucial.

How CryptoLocker ransomware can infect your computer?

The method of infecting the computers was found to be similar as other common viruses. Though, ransomware like CryptoLocker is seen to have efficient deployment via spam email messages, web injectors, malicious software installers, misleading online advertisements, and through another virus infection.

Once the virus is executed, it immediately infects the system. Then, CryptoLocker ransomware communicates to remote server so that unique key can be generated for the specific computer. After acquiring the key, it starts to decrypt target files using a complex method that is almost unbreakable. On the last stage of the attack, CryptoLocker ransomware demands for ransom money as payment for the decryption tool. To further understand the attack scheme, we have included an infographic below.

Infographic image of ransomware attack stages
You can print, download, or share the infographic by clicking the image.

Securing the computer against ransomware attack

Do a Regular File Back-up - Always backup your data on a separate storage devices such as external hard drives, optical discs, or online backup services.

Keep Your Software Updated - Make sure that you have the latest software updates especially on the operating system. Recent updates often contain vital security patches to help protect the computer against all forms of threats.

Install a Security Program - Protect the computer with effective anti-virus application using efficient real-time scanning. Regularly run a complete scan to check the computer for presence of malware.

Protect your files with Controlled Folder Access (Windows 10/11)

For Windows 10/11 users, aside from protecting the computer using anti-virus or anti-malware programs, one way to protect against ransomware attack is by using Controlled Folder Access. This feature of Windows Defender Security Center may not prevent the CryptoLocker ransomware infection, but it can protect the folder and files in general. Follow the steps to enable Controlled Folder Access in Windows 10/11.

1. Go to Windows Taskbar and search for Windows Defender Security Center.

2. Open Windows Defender Security Center and click on Virus & Threat Protection icon.

Virus and Threat Protection

3. On next window, please click on Ransomware Protection.

4. Under Controlled Folder Access section, switch the slider to On. That will enable the feature and protect the folder against CryptoLocker virus or any type of ransomware.

Controlled Folder Access

5. Click on Protected Folders link to include additional folders. Make sure that folders where important files are located should be included in the list.

Include Your Protected Folder

Troubleshooting Guide

Certain programs maybe blocked by Controlled Folder Access feature. To fix the issue, simply have the specific program to be white listed.

1. Under Protected Folders, click Allow an app through controlled folder access.

2. Next, click the Add an allowed app and include the target executable file.

This Controlled Folder Access feature is one way to protect files against CryptoLocker ransomware. Other important things to do in keeping files safe against ransomware is through early prevention like keeping programs updated, install an efficient security program, an do regular file backup on a separate media drive.

About the author

47 thoughts on “Remove CryptoLocker Virus”

  1. what is the deal with the key? Your example shows a key, when i run the program no key is present. What are you doing to try and identify the correct key? or should the program do this on its own.

  2. I have some friends who are currently trying to recover their files from CryptoLocker virus infection. So far, they are still trying various decryption tools. They have managed to remove the CryptoLocker from their computer; however, files are remained encrypted.

    I still do not know if removing files and registry entries dropped by CryptoLocker will be able to help. So far, here are what I have found:

    CryptoLocker Files:
    C:\WINDOWS\system32\msctfime.ime
    C:\Documents and Settings\User\Application Data\{DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe
    C:\DOCUME~1\User\LOCALS~1\Temp\CryptoLocker.exe
    C:\WINDOWS\system32\rsaenh.dll

    CryptoLocker Registry Entries:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
    HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = “CryptoLocker.exe”
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    HKEY_CURRENT_USER\Software\CryptoLocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)

  3. Hey,

    We were hit with this on 09/09. It was on 1 pc that happens to be a part of a shared drive that is for or warehouse and encrypted all the docs and apps for the drive and server. Will this work?

  4. this is not working at all for my client. Same situation, hit one machine, then spread through the network… Decryptor says no files are encrypted but they were all affected by the CryptoLocker.exe ransomware.

    Please help!!!

  5. We have seen this several times this week at our company. You can not decrypt the files without the private key which is stored on the hacker’s servers. That panda tool will not be able to do it. you can use a tool called shadow explorer which may help you as long as you have system protection turned on.

  6. Hi, I have this Cryptolocker on my PC that shares files on Drop box which seem we cannot open. Can this program clean the trojan off the drop box? I am in the middle of cleaning the first phase of ESAT Rogue.

  7. I have the same problem, hit one pc and drop box server. Panda did not decrypt the file nor did shadow explorer. Can someone please HELP !

  8. Hit our Church, I have not found an answer – panda and shadow copy did not work, it had disabled my ability to restore to a restore point – This is a beast – any help is appreciated.

  9. Correct the Panda tool can not decrypt the files. Your only hope is to to use shadow explorer which definitely works as long as you have system restore points enabled….the key is to remove the virus before you run shadow explorer. We have successfully restored files with it.

  10. Yes Shadow copy works. I think I’ll be cleaned in another hour.
    Thanks for post all of this.

  11. Helmut Reinhardt

    We have this same CRYPTOLOCKER it hit us about 5am this morning, and encrypted 2 network drives, resulting in about 112,000 files being encrypted.
    Pandaunransom.exe didn’t do anything – looks like panda needs the decrypt key.

  12. We have 3 PC’s (All Win 7 64bit running Trend Micro Office Scan Client 10.5 AV) infected with CryptoLocker. We managed to remove the virus with Malwarebytes, Hijack This and physical deletion of Virus files but again all local files were left encrypted. We think this was contracted from opening an email supposedly from FedEx.

    I have asked Trend for advice but it is not looking hopeful of salvaging local files thankfully shared drives haven’t been infected (yet).

  13. We were hit on 25th and it has taken several times to remove the bulk of this virus still awaiting on Avast remover. It seems to be working. Pt has been an extreme hassle and it seems to come out into only one email via an Intuit spam email. Again use your virus blocker more often than usual it helps in keeping the systems up on new viruses. I’ll post tomorrow how we fair in our offices.

  14. We were hit on 9/28. Anyone able to decrypt the files? I don’t have a current backup

  15. I can’t seem to see any difference (files I can’t get to or are corrupt), but I got that nasty message! I have removed CryptoLocker from my computer, what would happen if I used system restore to go back to before this happened?

  16. Best option is to reinstall OS from an image created before the virus has hit your system. I have done this on an infected computer and it works great. It is very important to back up your system to an offsite drive. I run a new image every week on my systems and delete the older images. This way I will only loose a weeks worth of data. This is the only thing that I have found that works reliably every time.

  17. Guruthesecond

    We were hit two days ago. It only affected one computer but since she was mapped to all the shares, they are all encrypted. We’ve finally agreed to pay the ransom I’m just concerned because I read on another thread how payment had been blocked and we may never get our files back.

  18. Any of this methods are not going to be successful, instead all are going to stuck with the same problem. What is the possible way to remove this thing. Please help!

  19. Cherrelyn Joy Moreno

    Thank you very much for this information though the decryption process didn’t work but the CyrptoLocker Virus was gone.. Thank you very much. A million Thanks to you.

  20. Guruthesecond,

    Did paying the fee get you the private key and allow you to decrypt the files again? I have an end user client whose business files were all encrypted on the network share and is desperate for a resolution. Before I clean the malware, I want to know if this solution is valid. Ransom true, but when the client needs the files, a ransom is better than nothing. The infected PC is off the network and isolated right now.

    PEACE

  21. You MAY fix the encrypted files by paying the money, supposedly, they will send the decryption key and it does work. It does take a while, I think one site said about 5gb per hour, but don’t wait too long looking for a solution that doesn’t come. If you don’t have backups and you need these files, once that timer goes reaches zero, the key is destroyed and your files are pretty much forever encrypted. Best thing to do is kill the drive, start fresh from your back ups. System restore will do nothing for you as System restore does nothing to change the files this particular variant is designed to encrypt, only system files and Windows start up files. Your computer will work fine, but you won’t be able to open the extensions mentioned in the above link until they are decrypted or removed and restored from backup. Make sure you remove the virus before restoring from backup, otherwise it would be redundant.

    We had the issue yesterday on one of our user computers. She opened an attachment, that’s all it took. Not only did it encrypt all files on her desktop, any user directory she had connected to our server where she had write privy, were also encrypted. Spent the better half of the night last night weeding through directories and files, deleting encrypted files and restoring from backups.

    Take note, as long as her computer was on the network and had write access to the server, every time I would replace an encrypted file on the server, it would encrypt the restored almost simultaneously, fortunately she just had write access to her own user directory and a community directory that is used to share files, no access to any system or admin files. Make sure you remove the infected computer totally off the network before trying to resolve and restore. Turning it off and rebooting it or trying to remove it won’t destroy the key, the virus itself is easy to remove, but in doing so guarantees your files stay encrypted.

    Nobody wants to pay $300, but its the most guaranteed way you get your files back, its why its called ‘Ransomware’. You can try to beat it, but know that in messing with it you could speed up, or just finalize the process of preventing any way of ever applying the decryption key. This is a fairly new entity and is rarely caught by most AVs and even many Firewalls overlook it, don’t depend alone on your securities. I’ve been the system administrator with my company for over 11 years, and have secured with quad redundancy on every level, but we still got in… Get your users aware of these threats… You can have the most secure house on the block with the most cutting edge alarm system, but if someone opens the door to the thief… Well, doesn’t do any good.

    She had files on her desktop, I told her I’d fix it for $300, other than that, files on her desktop are gone. Backup Backup Backup awareness Backup Backup Backup…

    Best prevention is user awareness.

  22. I have been hit with this nasty piece of work, I completely removed it from my system and just successfully replaced all of the files on the system that had been encrypted using shadow explorer. However the encryption also affected my NAS which was on the same network thus not under the window shadow copy. If anyone know of a decryption tool that works please kindly let us know.

  23. We have been hit with this twice now. Fortunately we have backup processes in place so the loss of data was not a huge problem.

    To remove the software we have used System restore and Malware Bytes. Be sure you do this without the network cable plugged in.. especially if you are on a domain and have access to shares.

    Hopefully someone will find the fix to decrypting the docs, and or finds the culprits and smashes them up.

  24. I got hit by this virus early this week. While I have managed to remove the virus, my files are still encrypted. Need help to decrypt the files. Tried Panda but did not help. Any suggestions?

  25. Thanks God I was able to remove the virus. Thanks a lot for useful information.

  26. Hello,

    I have this virus in every computers. In my network we have 2 servers Windows 2003 and 20 computers Windows XP.

    I am very worried because all of our “.pdf” documents are damaged and we can’t opened them.

    I do not know what to do to recover the pdf documents.

    Any update?

  27. OK Guys, I lose. Please tell me where I can re-infect and pay the ransom and get all my files back.

  28. Hi all,
    I am sorry to be the bearer of bad news but my brother in law has just told me that there is no way you can recover the encrypted files unless you have the decrypt key from Cryptolocker, which definitely does not exist anyway. They are only interested in the unfortunate people who pay the money and then do nothing anyway. My brother in law is a super computer geek and he knows his stuff. In short you won’t get back your files but you can easily remove the virus using Malwarebytes.

  29. I got infected yesterday – not good. Unable to open up word files/ excel files on laptop prior to infection. I have been able to use files received after malware taken off laptop.

    Good news is that all files stored on my ISP both sent and received emails not affected and I am able to restore files as I go along – I have not deleted emails in the last 4 years so have 7300 sent and 10400 received so this should allow me to restore 80%+ of my files so that I can open them / replace the damaged files.

  30. I got infected on 01 OCT 2013. Unable to open up word files/ excel/pdf files on my system. I have been able to use files received after malware taken off system emails not affected both sent and received.

    I do not know what to do to recover the documents.

    Any update?

    From Dr Ram Reddy, Hyderadad, India.

  31. Hello,
    I have this virus in every computers. In my network we have 2 servers Windows 2003 and 20 computers Windows XP.
    I am very worried because all of our PDF documents are damaged and we cannot open them.
    I do not know what to do to recover the PDF documents.
    Any update?

  32. Thank you so much… cryptolocker is gone, but now I can fix my file… panda, shadow explore cant decrypt my file. T.T what can I do? Someone can tell me how to fix it with other program maybe, because that’s my important file.

  33. Senior Level Tech

    Hello. I deal with this infection as well as FBI’s and others on a daily basis. I can tell you that I am MTP certified and have 7 years in Infection removal, in fact I am an infections Specialist with my firm. For starters. Never listen to anyone that tells you to just pay the $300 because it is the only way your files will get decrypted. In actual fact, you can pay the money but you will NOT get your files back.

    When you first see the CryptoLocker screen, it is best to completely shut your PC down immediately and seek out an infection removal expert.

    I find the best way to remove the infection in manually without the use of useless scanners. These scanners will only find part of the infection if any of it at all.

    Here is the most effective and guaranteed removal technique..
    1. Power on the machine
    2. Boot to Safe mode with Networking.
    3. Open Explorer and view hidden files and folders. Check every user, appdata folder under local and roaming. you are looking for a very distinct file that is usually in .dat or .exe extension.
    The name of the file will not be a word, instead, it will be a series of numbers and letters, usually about 13-25 characters long. Once found delete them immediately.

    4. Holding the windows key down press r and type in regedit
    Search local user and local machine/software/Microsoft/windows/windowsNT/Winlogon
    Check the Powershell as well, it should be set at explorer.exe
    Be sure it is not named anything else.

    5. Once you have found the infection and completely removed it from your machine, you will still see the Cryptolocker splash page. This is the easy part.

    6. run MSconfig check for anything out of the norm in startup, usually it will be in .exe extension, uncheck it and click save. DO NOT REBOOT YET!

    On your desktop you will find the image file for the Cryptolocker splash page, delete it and empty the recycle bin.

    Now reboot.

    Ok, now your docs are encrypted, what do you do now…..

    I have the million dollar answer and it has worked 80% of the time. The name of the program is Icare. Such a sweet name and an over all life saver for a lot of people.

    I really hope that you follow my guidelines step by step. If you do, you will conquer this awful Virus and possibly get all of your files back. For free no less.

    You are welcome in advance.

  34. Had a customer infected with this. Paid the ransom and very quickly got decrypt private key. Seems as though hackers will give you the key if you pay up. Customer had backup from previous night, but with the time it takes to restore and rebuild infected laptop, it was quicker and easier to pay up. Laptop had mapped network drives, so spread to half the docs on the network before network cable was pulled from the laptop. The encryption is RSA encryption and would take years to crack. Without the key from the hackers, your only option is backups and hope it doesn’t take long to restore, shadow copy or previous versions enabled.

    If you decide to pay and get the key, the program runs, decrypts the files, then will give you an opportunity to retry and skipped files. Customer had taken a USB drive out, so had to skip those files, then ran again when drive was put back in.

    Once you end the program, it removes itself from the system, so make sure you have run it against all encrypted files. Program remembers exact drive mappings, so if you’ve disconnected drive mappings, you will have to map to the same drive letter as before.

    Then hope no-one else opens up attachments without being certain what they are. This really is a case of once you let the crooks in, you’re at their mercy, unless you have a good backup solution. Once the timer counts down, that’s it, you can’t then decide to pay, but if you’ve paid, the counter will suspend while payment is being verified.

    One other thing – had no luck whatsoever trying to pay by the UK option of bit coins. You can create a wallet, but getting money into that wallet is damn near impossible! Had to get a US contact to pop into a 7 Eleven and buy a Moneypak card, put money on it using PayPal and then send the Moneypak card number to put into the program! You can’t use PayPal or Credit card to fund a bit coin account, so good luck with that!

    Hope additional info helps, as I spent half a day looking into how to pay!!

  35. Mauricio Delgado Robles

    Malware CryptoLocker was removed using both tools, first the Sophos Software and then I check with Malicious Software Removal, but those software just delete the malware, panda doesn’t decrypt the files touched for virus, the only software to fix this was ShadowExplorer, this work very good, quick and effective..

    Regards

    Mauricio

  36. Accountants infected, they Paid via bitcoin from UK (£270) ,(not as easy as it sounds) over 50,000 encrypted files,(xls(x),doc(x) pdf’s, decryption took 12 hours.. seems to have worked (cant test 50,000 files) backups were 5 days old! Maybe now backups might be more important and double clicking any attachment might be thought twice about!

  37. Dear Users,

    I think you should not pay any thing to any one, I have just tried a very simple solution, I just formatted my c drive than I re installed my operating system, after that I have deleted my other drives also, then by using recovery software that is available freely online Ease US I have recovered 80 -90 % of my files and those files are not encrypted or corrupted.

    I think some thing is better that nothing. If any of you can recover files by using my technique than please let me know.

  38. Just got hit with the Malware Cryptolocker. What steps do I need to take to get rid of this?

  39. Searched google for removal of the parasite, but it is very difficult restore your encrypted files.

  40. Another Victim

    I deleted Cyrptolocker virus and went inside the registry keys and folder files to delete all that was associated with the virus. My files still remained locked. The ransom price went up to 1400 USD and my system restore files somehow got deleted.

    I refuse to contribute to terrorists the guy responsible for this virus is name is Evgeniy Bogachev
    Everything about the mastermind behind the Cryptolocker virus is here on this FBI site
    fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev

    I am calling all bounty hunters and anyone else that can locate people, he ruined our computers, and is making profit from it. It’s time to send message to him, and anyone associated with him. If he wants us to pay for his virus he created he has another thing coming to him. FBI is asking for 3 million dollars to find Evgeniy Mikhaylovich Bogachev.

    Happy Hunting, spread this message across the web, time for international man hunt for Evgeniy Mikhaylovich Bogachev the CREATOR of the CRYPTOLOCKER virus (ransomware)

    I rather lose my files, just to see his criminal empire crashing down before him.

Leave a Comment

Your email address will not be published. Required fields are marked *