Security Stronghold security made easy

How to remove Cryptolocker and decrypt your files

Got CryptoLocker virus infected your computer and encrypted your files? When you turn on your computer and a black DECRYTP_INSTRUCTIONS.html wallpaper that covers the entire desktop and an offer to decrypt your files in return of payment, it means that your computer have been infected with Cryptolocker virus which is a file-encrypting ransomware.

Cryptolocker image:

cryptolocker virus

This is just an example. Your message can look differently.

In this article we'll show you the ways to remove the infection itself and recover your files.

* What is CryptoLocker Ransomware?

* How did the CryptoLocker virus got on my computer?

* Is it possible to decrypt files encrypted by CryptoLocker?

* How to remove the CryptoLocker ransomware (Virus Removal Guide)

* How to restore your files encrypted by Cryptolocker?

* How to avoid being infected again?

What is CryptoLocker Ransomware?

Cryptolocker is a malware program, created by cyber criminals, which encrypts files on your computer and offers a decryption in exchange of payment or so called ransom. This type of malware is called Ransomware. It is well known that Cryptolocker can infect any operating system version and revision (Windows XP, Windows Vista, Windows 7, and Windows 8). Keep in mind that infection itself is not very hard to remove, decryption of files, on the other hand affected by this malicious program is impossible without paying the ransom. This is why it is always a good practice to keep a fresh backup copy of your files.

How did Cryptolocker malware get on my computer?

The Cryptolocker ransomware virus might infect your computer when you browse through suspicious websites or reliable websites, which are compromised by cyber criminals, infected email messages or fake downloads. In some cases Cryptolocker malware might be installed along with a free software program downloaded from internet. When CryptoLocker ransomware is installed on your computer it creates an executable in the %AppData% or %LocalAppData% folders. This executable will be launched in order to scan all the drives on your computer for data files to encrypt. While encrypting your files, this ransomware also creates a ransom note named DECRYPT_INSTRUCTIONS.txt and puts it in each folder that a file has been encrypted. Your Windows desktop wallpaper will also be changed to DECRYPT_INSTRUCTIONS.html. Both the wallpaper and the text ransom note will contain the same information on how to access the payment site and get your files back.

Is it possible to decrypt files encrypted by CryptoLocker?

No, at this time it's not possible. CryptoLocker is noteworthy due to the encryption method - it uses AES-265 and RSA encryption. The RSA public key can only be decrypted with its corresponding private key. Since the AES key is hidden using RSA encryption and the RSA private key is not available, decrypting the files is not possible. Due to the length of AES encryption key, brute forcing the decryption key will take too much time, this is why this decryption method can not be considered. So unfortunately, once the CryptoLocker encryption of the data is complete, decryption is not possible without paying the ransom on Decryption Service site. Note that paying the ransom as demanded by this ransomware means sending your money to cyber criminals and supporting their criminal goals. And what is more important there is NO guarantee that your files will ever be decrypted. Therefore, the ideal solution is to remove this ransomware virus and then restore your data from a backup.

How to remove the CryptoLocker ransomware

There are a few ways to remove Cryptolocker from your computer. First, we will remove the malware itself:

  1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.

  2. Log in to the system infected with the Cryptolocker virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

  3. Download Removal Tool to remove Cryptolocker

If your computer failed to start in Safe Mode with Networking, try to perform a System Restore following these steps below:

  1. Start your computer in Safe Mode with command prompt. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with command prompt option from the options list using up and down arrows on your keyboard and hit Enter.

  2. When Command Prompt mode loads, type the following command: cd restore and press ENTER.

  3. Next, type this command: rstrui.exe and press ENTER.

  4. This command starts System Restore utility. Choose one of the available Restore points before your system was infected with Cryptolocker virus. Note that this method is effective only if the System Restore function was enabled on an infected operating system.

  5. Once restoring your computer is complete, download recommended malware removal and protection program and scan your PC to eliminate any remaining Cryptolocker files.

In some cases ransomware virus disable Safe Mode making removal process more complicated. That is why in sometimes Safe mode option might not be available. In that case you should try using a Windows Installation DVD to restore your system to a previous date and time.

How to restore your files encrypted by Cryptolocker

Second, once the removal of ransomware program is complete, you need to restore your files. As it was mentioned above, it is impossible to decrypt files which have been encrypted by Cryptolocker, which is why we'll use Shadow Explorer to extract your files from a shadow copies, created by Windows Operating System by default. So, what is ShadowExplorer? It is a software program which allows you to browse the Shadow Copies created by the Windows Vista/7/8 Volume Shadow Copy Service. You can download ShadowExplorer from the link below:

Shadow Explorer Download Link

Once you have downloaded and installed ShadowExplorer, run this program (from your Start menu or a Desktop icon). You will see a window showing files stored in Shadow copies. Choose the correct Drive letter, from which you want to restore your files. Locate the files or folders, you want to restore, right mouse button click it and select Export from the drop down menu. You will then be prompted to select a folder, where to restore these files, pick or create one. After the restore is complete, feel free to use your files at your own convenience.

What to do to avoid being infected with Cryptolocker ransomware?

To avoid computer infection with ransomware virus, stay on guard when opening email messages, since cyber criminals use catchy titles to trick into opening infected email attachment. Always watch link address when browsing internet. And, of course, watch, what you are downloading from the internet or P2P network. Cyber criminals can mask their ransomeware viruses with legitimate downloads (for example flash player update). In order to protect your computer in the future, It is a good practice to use reliable antivirus and anti-spyware programs.

* SpyHunter 4

* Stronghold AntiMalware

* MalwareBytes AntiMalware

Hope this article helped you to resolve your issue. Good luck.

Home | Partners | Shop | Support | Terms of use | Contact Us | Privacy Policy | Sitemap

Copyright © 2017 Security Stronghold. All Rights Reserved. All content on this website is protected and belongs to Security Stronghold LLC.