CTB Locker, or Critoni, is a ransomware infection which belongs to the Crypto Ransomware family. This malware causes great harm to your system upon entering it. The program denies you access to your files and demands that you pay a ransom to regain accessibility to them. A message is displayed on your screen, stating that “Your personal files are encrypted” and the program asks that you pay a certain sum to give you back access to them. You should keep in mind, however, that paying the sum requested does not in any way guarantee that you will be able to use your files once more. Regardless of what you choose to do, it is uncertain whether your files will be restored. For this reason, the right action to undertake is to try to remove CTB Locker ransomware from your computer immediately.
How does the system get infected with CTB Locker ransomware?
There are a number of ways for CTB Locker to penetrate into your PC. This program uses the usual malware tactics, including malicious websites, compromised web links, false system upgrades and spam e-mails. The files can also come bundled up with a freeware program installed from an unreliable source. Most often, CTB Locker ransomware enters your system with the help of a Trojan horse. Once the Trojan has penetrated your system, it installs the malware program and leaves it to operate on its own. The purpose of Trojans is to grant access to malicious programs. Upon letting them in through the backdoor, they just lay low on your system, as the virus infects your computer.
What is dangerous about CTB Locker ransomware?
After CTB Locker has encrypted your files, it removes all icons from your desktop and displays a message on your screen. The message informs your that your files have been encrypted and tells you you have to pay a ransom within 72 hours to get access back to them. If you restart your system, the message will disappear and you will have access to your task bar, task manager and desktop icons, but your files will still be encrypted. The ransom amount differs, but it is usually in the amount of 24 USD, paid in bitcoins through an online transaction. If you decide to pay the amount, you have to download and install the Tor internet browser. Once the browser has been installed, you have to enter a private key and proceed with the payment. Like previously stated, paying the ransom does not guarantee getting access to your data back. You should know that providing any personal details through these bogus platforms can lead to data theft. The best you can do if you have decided to pay in hopes of getting your files decrypted is to remove the Trojan which let the CTB Locker ransomware infection into your system.
To remove the virus effectively, it is recommended that you use an automatic malware detection program.
How to remove CTB Locker ransomware?
Step 1: Locate the infection on your computer
Instructions for Windows 7 users
1. Check to make sure there are no floppy disks, CDs or DVDs inserted into your machine.
2. Restart your PC.
3. When a table appears on the screen, start tapping the F8 key repeatedly until you see the Advanced Boot Options screen.
4. Use the arrow keys to highlight the Safe Mode with Networking option and then click Enter.
5. When the OS loads, press the Windows logo button and the “R” key simultaneously.
6. A dialog box should open, type www.pc1news.com/download-instructions into the empty field.
7. Your Internet Explorer will launch and start downloading a security program.
8. Follow the instructions to install the antimalware tool and run a scan of your system.
Instructions for Windows 8 users
1. Make sure you do not have any floppy disks, CDs or DVDs inserted into your computer.
2. Start your system in Safe Mode with Networking.
3. Move the mouse cursor to the upper right corner of the screen to make the Charm bar appear.
4. Click on the magnifying glass icon.
5. Go to Settings.
6. Type Advanced into the Search box.
7. Click on the Advanced startup options field when it appears on the left.
8. Scroll down and click on the Restart Now button.
9. Then go to Troubleshoot.
10. Click on Advanced options.
11. Go to Startup settings.
12. Then press Restart.
13. A screen with safe startup options should appear, press F5 to Enable Safe Mode with Networking.
14. When the OS loads, press the Windows logo button and the “R” key simultaneously.
15. A dialog box will open. Enter the following in the blank space: www.pc1news.com/download-instructions
16. This will launch Internet Explorer and a malware scanner tool will start downloading.
17. Install the program and follow the instructions to remove the ransomware from your system.
Step 2: Locate the startup point of the CTB Locker virus
1. Press the Windows logo button and the “R” key simultaneously to open Run Command.
2. When the Run window opens, type taskschd.msc into the box to open the Task Scheduler.
3. Find and remove the scheduled task and the file it is pointing at.
4. Restart your computer.
Step 3: Restore the encrypted files
Below we have listed a couple of methods which may help you decrypt your files. Unfortunately, there is no guarantee that your data will be restored.
Method 1: Manual file recovery
You can use the System Restore option on your Windows. This feature is turned on automatically by default. The OS creates shadow copy snapshots that contain older copies dating to the last system restore. The snapshots help recover a previous version of the files to restore lost information, although it may not be the last version you have saved. The Shadow Volume Copies are available with the following systems: Windows XP SP2, Windows Vista, Windows 7 and Windows 8.
Method 2: Partial restoration of the encrypted files using MS Office junk files
1. Click on the Start button at the bottom of your screen and type Folder Options in the search box.
2. Select the Folder Options panel from the results.
3. Click on the View tab.
4. Select Show hidden files and folders from the Advanced settings and click OK.
The files you need to look for are in the .tmp extension and their names begin with ~WRL. These are Microsoft Office junk files which contain an earlier version of a Word document. The Cryptowall parasite does not encrypt these files. Although these document versions may not be the last ones saved, you can recover the data that is available. You can compare their sizes to figure out which file from your system they correspond to. You can use this method for Microsoft Office Word and Excel files.
Another way to restore files is by clicking on the Start button on your desktop and entering *.tmp into the search box. This will open a list of all the temporary files on your system. You have to open each of them with MS Word or Excel and recover the information stored in them by saving it to a different directory. The way to do this is by opening a new instance of MS Word/Excel. Go to the file menu, select open and navigate to the location of the TMP file.