Cryptolocker (also known as “Troj/Ransom-ACP”, “Trojan.Ransomcrypt.F”) is a Ransomware software that when it infects your computer, it encrypts all the files in it. The bad news with this virus is that, once it infects your computer, your critical files are encrypted with strong encryption and it is practically impossible to decrypt them.
The Cryptolocker Ransomware demands that you make a payment of 300$ or 300€ in a specific period of time (e.g. 72h or 100h), through a payment service (e.g. MoneyPak, Ukash, PaySafeCard, etc.) in order to unlock your files. otherwise -after that period- nobody can restore or decrypt them.
The Cryptolocker is not a virus, but a malware software and it probably infects your computer when you open an email attachment from a legitimate sender that seems innocent or from your network shares or from an external USB drive that was plugged on your computer.
Once Cryptolocker infects your computer, it starts to encrypt all personal files on your computer and then it sends the decryption key – known as “CryptoLocker ID” – to an online server. When Cryptolocker finishes encrypting your files, then a notification message comes on your screen demanding an immediate payment to unlock them. The message informs you that “Your personal files have been encrypted and you have 72 hours to pay us 300$”.
From our research on several sites, we can inform our readers that in some cases, the files remain encrypted, despite the fact that the user makes the payment. So make this decision (to pay to unlock your files) at your own risk. The other choice is to remove CryptoLocker Ransomware infection from your computer, but in this case, you must realize that your files will remain encrypted, even if you disinfect your computer from this nasty malware. If you take this decision (to disinfect your computer) the only way to restore your files is from shadow copies by using Windows' “Restore previous versions” feature found at the latest operating systems.
Update: (August 2014): FireEye & Fox-IT have released a new service that retrieves the private decryption key for users that were infected by the CryptoLocker ransomware. The service is called 'DecryptCryptoLocker', it is available globally and does not require users to register or provide contact information in order to use it.
In order to use this service you have to visit this site: https://www.decryptcryptolocker.com/ and upload one encrypted CryptoLocker file from the infected computer (Notice: upload a file that doesn’t contain sensitive and/or private information). After you do that, you have to specify an email address in order to receive your private key and a link to download the decryption tool. Finally run the downloaded CryptoLocker decryption tool (locally on your computer) and enter your private key to decrypt your CryptoLocker encrypted files.
More information about this service can be found here: FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims.
ONCE MORE: DO NOT CONTINUE TO REMOVE CRYPTOLOCKER VIRUS UNLESS:
YOU HAVE A CLEAN BACKUP COPY OF YOUR FILES STORED IN A DIFFERENT PLACE (like an unplugged portable hard disk)
YOU DON”T NEED THE ENCRYPTED FILES BECAUSE THEY ARE NOT SO IMPORTANT TO YOU.
YOU WANT TO GIVE IT A TRY TO RESTORE YOUR FILES USING SHADOW COPIES FEATURE (Step 5).
So, if you have taken your final decision, then proceed first to remove Cryptolocker Ransomware infection from your computer and then try to restore your files by following the steps bellow:
How to get rid of CryptoLocker RansomWare & Restore Cryptolocker Encrypted files.
CryptoLocker RansomWare Removal Guide
Step 1: Start your computer in “Safe Mode with Networking”
To do this,
1. Shut down your computer.
2. Start up your computer (Power On) and, as your computer is booting up, press the "F8" key before the Windows logo appears.
3. Using your keyboard arrows select the "Safe Mode with Networking" option and press "Enter".
Step 2. Stop and clean malicious running processes.
1. Download and save "RogueKiller" utility on your computer'* (e.g. your Desktop)
Notice*: Download version x86 or X64 according to your operating system's version. To find your operating system's version, "Right Click" on your computer icon, choose "Properties" and look at "System Type" section
2. Double Click to run RogueKiller.
3. Let the prescan to complete and then press on "Scan" button to perform a full scan.
3. When the full scan is completed, press the "Delete" button to remove all malicious items found.
4. Close RogueKiller and proceed to the next Step.
Step 3. Clean your computer from remaining malicious threats.
Download and install one of the most reliable FREE anti malware programs today to clean your computer from remaining malicious threats. If you want to stay constantly protected from malware threats, existing and future ones, we recommend that you install Malwarebytes Anti-Malware PRO:
1. Run "Malwarebytes Anti-Malware" and allow the program to update to it's latest version and malicious database if needed.
2. When the "Malwarebytes Anti-Malware" main window appears on your screen, choose the "Perform quick scan" option and then press "Scan" button and let the program scan your system for threats.
3. When the scanning is completed, press “OK” to close the information message and then press the "Show results" button to view and remove the malicious threats found.
4. At the "Show Results" window check - using your mouse's left button- all the infected objects and then choose the "Remove Selected" option and let the program remove the selected threats.
5. When the removal of infected objects process is complete, "Restart your system to remove all active threats properly"
6. Continue to the next step.
Step 4. Delete Cryptolocker Ransomware hidden files.
Notice: You must enable the hidden files view to perform this task.
1. Navigate to the following paths and delete all Cryptolocker Hidden files:
For Windows XP:
- C:\Documents and Settings\<YOUR USERNAME>\Application Data\RandomFileName.exe
For Windows Vista or Windows 7:
- C:\Users\<YOUR USERNAME>\AppData\Roaming\RandomFileName.exe
2. Finally delete all files and folders under your TEMP folders:
For Windows XP:
- C:\Documents and Settings\<YOUR USERNAME>\Local Settings\Temp\
For Windows Vista or Windows 7:
- C:\Users\<YOUR USERNAME>\AppData\Local\Temp\
Restore your files from Shadow Copies.
Step 5. Restore your files after Cryptolocker Infection
After you have disinfected your computer from Cryptolocker virus, then it is time to try to restore your files back to their state prior to the infection. For these methods, we use the Shadow Copy feature which is included in Windows XP and the latest operating systems (Windows 8, 7 & Vista)
Method 2: Restore Cryptolocker encrypted files using Shadow Explorer.
Method 1: Restore Cryptolocker encrypted files using Windows “Restore Previous versions” feature.
How to restore CryptoLocker encrypted files using Windows “Restore Previous versions” feature:
1. Navigate to the folder or the file that you want to restore in a previous state and right-click on it.
2. From the drop-down menu select “Restore Previous Versions”. *
Notice* for Windows XP users: Select “Properties” and then the “Previous Versions” tab.
3. Then choose a particular version of folder or file and the press the:
- “Open” button to view the contents of that folder/file.
- “Copy” to copy this folder/file to another location on your computer (e.g. you external hard drive).
- “Restore” to restore the folder file to the same location and replace the existing one.
How to restore CryptoLocker encrypted files using “Shadow Explorer” utility.
ShadowExplorer, is a free replacement for the Previous Versions feature of Microsoft Windows Vista/ 7 / 8. You can restore lost or damaged files from Shadow Copies.
2. Run ShadowExplorer utility and then select the date that you want to restore the shadow copy of your folder/files.
3. Now navigate to the folder/file that you want to restore its previous version, right-click on it and select “Export”
4. Finally specify where the shadow copy of your folder/file will be exported/saved (e.g. your Desktop) and press “OK”