Also Known As: CryptoLocker Virus
Distribution: Moderate
Damage level: <strong>Severe</strong>

CryptoLocker "Your personal files are encrypted!" removal guide

What is CryptoLocker?

CryptoLocker is a ransomware virus created by cyber criminals. The virus is distributed using 'exploit kits', which infiltrate users' computers using security vulnerabilities detected within outdated software. Common sources of exploit kits are infected email messages, malicious websites, and drive-by downloads. Note that exploit kits rely on outdated software in order to infiltrate systems, therefore, keeping your operating system and all installed programs up-to-date greatly reduces the risk of infection by ransomware viruses.

After successful infiltration, CryptoLocker encrypts files on the infected machine and demands payment of a 300 USD or 300 Euro ransom in order to unblock the computer and decrypt the files. Cyber criminals order this ransom payment using Ukash, cashU, MoneyPak, or Bitcoin. Note that paying this fine is equivalent to sending your money to cyber criminals with no guarantee that your files will be decrypted. Owners of the infected computer are advised to remove this virus and recover their files from a backup.


TorrentLocker ransomware:

Screenshot of recently released CryptoLocker ransomware copycat (called TorrentLocker):

cryptolocker copycat variant

Files encrypted by this ransomware get ".encrypted" extension. Notice that unlike the original Cryptolocker this ransomware doesn't remove the Shadow Volume Copies of the stored files, thus it's possible to use Windows restore feature to regain control of encrypted data.

Victims of TorrentLocker can use a tool (called 'TorrentUnlocker' created by Nathan - DecrypterFixer) to decrypt their files. More information on how to use this tool available at website.

PClock ransomware:

PClock ransomware - cryptolocker copycat

Another copycat of Cryptolocker is called PClock - it demands to pay a ransom of 1 bitcoin (approximately USD $300) in 72-hours. The list of encrypted files are stored in enc_files.txt file. The good news is that this ransomware uses week encryption and that Emisoft company has created a a decrypt tool for this malware. You can download it here.

CryptoLocker encrypts various files types (.doc .xls .ppt .eps .ai .jpg .srw .cer) found on the compromised machine. While the removal process of this virus is straightforward at time of writing, there are no known tools to decrypt the encrypted files. Today, ransomware viruses are becoming more complex, and due to encryption capabilities now available, it is especially important to make backups of your files. To eliminate CryptoLocker, use the removal guide provided.

Update: Victims of Cryptolocker ransomware can use a free online tool created by FireEye and Fox-IT to decrypt files compromised by this malware -

A message presented by the CryptoLocker Virus:

CryptoLocker "Your personal files are encrypted!"

Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet, the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD/ 300 EUR / similar amount in another currency.

Click "Next" to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.

Screenshots of CryptoLocker:

Cryptolocker virus

Quick menu:

CryptoLocker virus removal:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the CryptoLocker Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

Remover for CryptoLocker Virus

If you need assistance removing CryptoLocker, give us a call 24/7:
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. We are affiliated with anti-virus and anti-spyware software listed on this site. All the products we recommend were carefully tested and approved by our technicians as being one of the most effective solutions for removing this threat.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer's system to an earlier time and date, prior to the ransomware virus infiltrating your PC).

select a restore point

6. In the opened window click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining CryptoLocker files.

If you cannot start your computer in Safe Mode with networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode, making its removal complicated. For this step you require access to another computer.

Update: Victims of Cryptolocker ransomware can use a free online tool created by FireEye and Fox-IT to decrypt files compromised by this malware -

Other tools known to remove this ransomware virus:

About the author:

I am passionate about computer security and technology. I have an experience of 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an editor for since 2010. Follow me on Google+ to stay informed about the latest online security threats.

Our malware removal guides are free. However, if you want to support us you can send us a donation.