Wednesday, 16 October 2013

Remove CryptoLocker virus and restore encrypted files

CryptoLocker is a ransomware trojan that encrypts your data and then asks you to pay a ransom in order to decrypt the files. The current ransom is $300 (300EUR in Europe) by MoneyPak or Bitcoins. It does not target Macs, at least for now. At first glance, it's just like any other file encrypting ransomware except that this variant is well coded and actually encrypts the files. It may encrypt files in other user's account and even in mapped drives. Other ransomware trojans not always managed to do the encryption right, some even displayed fake warnings but not this one. It really encrypts, the timer is real and you have only two options: to pay the ransom hoping that cyber crooks will start the decryption or restore your files from a backup (if you are lucky enough).

This threat gets in mostly via infected email attachments and drive-by downloads from infected web sites. It is also being pushed directly to infected computers that belong to certain botnets. As usual, cyber crooks will try all possible methods to infect as many computers as possible. Only because someone said that this malware is being spread via infected email attachments doesn't mean you won't get if after visiting an infected website, etc.

An email containing the Crypto Locker virus attachment with a subject "Annual Form - Authorization to Sue Privately Owned Vehicle on State Business" that supposedly came from Xerox. [Click to enlarge image]

Here's what the CryptoLocker notifications looks like. If you got it then it's already too late. Your files are encrypted. It might be slightly different in same cases but the message is the same - "Your personal files are encrypted". There's even an option to list all the encrypted files. CryptoLocker encrypts photos, videos, word/excel documents, Zip files, PDFs and more than 60 other file types. As I said, the timer is real, usually you have 3 days to pay the ransom.

Most antivirus programs have updated their AV engines and are now detecting this ransomware trojan but they cannot recover the encrypted files. For example, Avast detects it as Win32:Ransom-AQH [Trj]. AVG - Ransomer.CEL. Avira - TR/Fraud.Gen2. Detection ration is 38/48. See CryptoLocker analysis on VirusTotal for more details.

If your antivirus program found and removed CryptoLocker from your computer, you will see the following message. It's not a pop pup but a new desktop background.

Since the decryption is impossible without CryptoLocker, cyber crooks urge you to restore it from quarantine or download a new copy of this malware.

Normally, I don't recommend paying a ransom but this piece of malware is particularly nasty. The encryption is strong, there's no way you can brute force or guess the decryption key. Usually, public RSA 2048-bit keys are stored on infected computers but not private keys, they are stored on remotes servers controlled by cyber crooks. And you can't decrypt files without your private key. So, you have to make a decision. If the encrypted files are very important to you, worth more than $300 you could take the risk and pay the ransom. Paying the ransom does not guarantee the safe recovery of encrypted files. However, multiple users have reported that paying cyber crooks to decrypt the files actually does work. It may take a long time to decryp, up to 48 hours or even more. If you plan on paying the ransom, please be careful as you type the code because entering an incorrect payment code will decrease the amount of time you have available to decrypt your files. If everything goes smoothly, decryption will start:

If the payment information is incorrect or the Command and Control servers are down, you may get an error, similar to this one:

Personally, I think that paying the ransom is not a good idea at all because cyber crooks will almost certainly fund the creation of a new variant, probably even more sophisticated than the current one. On the other hand, I understand companies and users that have very important files and they can't afford to lose them. They simply do not have other options.

If the encrypted files are not very important or you don't have money to pay the ransom, you can remove this malware and restore your files (at least some of them) using Shadow Explorer. You could restore encrypted files one by one using System restore built-in features but with Shadow Explorer you can restore entire folders at once which is really great. Besides, this tool is free. To remove CryptoLocker and restore encrypted files, please follow the removal guide below. If there's anything you think I should add or correct, please let me know.

Written by Michael Kaur,

Step 1: Removing CryptoLocker and related malware:

Before restoring your files from shadow copies, make sure CryptoLocker is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

 That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


If you can't use anti-malware programs, you will have to remove CryptoLocker manually.

1. Download Process Explorer. CryptoLocker spawns two processes of itself. It's very difficult to end those processes using Task Manager, so you will have to use Process Explorer instead.

2. Open Process Explorer. Find CryptoLocker's processes. This malware uses a randomly-generated name, yours will be different.

IMPORTANT! Please copy the location of the executable file it points to into Notepad or otherwise note it. Crypto Locker saves itself to the root of the %AppData% path.

Windows XP: C:\Documents and Settings\[Current User]\Application Data\

Windows Vista/7/8: C:\Users\[Current User]\AppData\Roaming\

3. Right click on the first process and select Kill Process Tree. This will terminate both at the same time.

4. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. The file is hidden, so make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

In my case, it was C:\Documents and Settings\[Current User]\Application Data\Klonpmmpdidlznt.exe

5. Go to start, and type regedit into Start search; this will open the registry editing tool (Registry Editor).

6. From the top, click on Edit, and scroll to Find (Ctrl+F). Type in the file name you noted earlier, and click Find next.

7. This should bring a result Cryptolocker; right click on the entry, and delete it.


In the righthand pane select the registry key named CryptoLocher. Right click on this registry key and choose Delete.


In the righthand pane select the registry key named *CryptoLocher. Right click on this registry key and choose Delete.

8. Press F3 to carry on the search, deleting each time. Do this until it has finished searching the registry, and then close down the editor. That's it!

Step 2: Restoring files encrypted by CryptoLocker using Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.

The list of files to decrypt is maintained in the registry in:


No comments:

Post a Comment