Written by Tomas Meskauskas on
CryptoLocker "Your personal files are encrypted!" removal guide
What is CryptoLocker?
CryptoLocker is a ransomware virus created by cyber criminals. The virus is distributed using 'exploit kits', which infiltrate users' computers using security vulnerabilities detected within outdated software. Common sources of exploit kits are infected email messages, malicious websites, and drive-by downloads. Note that exploit kits rely on outdated software in order to infiltrate systems, therefore, keeping your operating system and all installed programs up-to-date greatly reduces the risk of infection by ransomware viruses.
After successful infiltration, CryptoLocker encrypts files on the infected machine and demands payment of a 300 USD or 300 Euro ransom in order to unblock the computer and decrypt the files. Cyber criminals order this ransom payment using Ukash, cashU, MoneyPak, or Bitcoin. Note that paying this fine is equivalent to sending your money to cyber criminals with no guarantee that your files will be decrypted. Owners of the infected computer are advised to remove this virus and recover their files from a backup.
Screenshot of recently released CryptoLocker ransomware copycat (called TorrentLocker):
Files encrypted by this ransomware get ".encrypted" extension. Notice that unlike the original Cryptolocker this ransomware doesn't remove the Shadow Volume Copies of the stored files, thus it's possible to use Windows restore feature to regain control of encrypted data.
Victims of TorrentLocker can use a tool (called 'TorrentUnlocker' created by Nathan - DecrypterFixer) to decrypt their files. More information on how to use this tool available at bleepingcomputer.com website.
Another copycat of Cryptolocker is called PClock - it demands to pay a ransom of 1 bitcoin (approximately USD $300) in 72-hours. The list of encrypted files are stored in enc_files.txt file. The good news is that this ransomware uses week encryption and that Emisoft company has created a a decrypt tool for this malware. You can download it here.
CryptoLocker encrypts various files types (.doc .xls .ppt .eps .ai .jpg .srw .cer) found on the compromised machine. While the removal process of this virus is straightforward at time of writing, there are no known tools to decrypt the encrypted files. Today, ransomware viruses are becoming more complex, and due to encryption capabilities now available, it is especially important to make backups of your files. To eliminate CryptoLocker, use the removal guide provided.
A message presented by the CryptoLocker Virus:
CryptoLocker "Your personal files are encrypted!"
Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet, the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD/ 300 EUR / similar amount in another currency.
Click "Next" to select the method of payment and the currency.
Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
Screenshots of CryptoLocker:
- What is CryptoLocker?
- STEP 1. "CryptoLocker" virus removal using safe mode with networking.
- STEP 2. "CryptoLocker" ransomware removal using System Restore.
CryptoLocker virus removal:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account infected with the CryptoLocker Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer's system to an earlier time and date, prior to the ransomware virus infiltrating your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining CryptoLocker files.
If you cannot start your computer in Safe Mode with networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode, making its removal complicated. For this step you require access to another computer.
Other tools known to remove this ransomware virus: