Written by Tomas Meskauskas
Damage level: Severe
CryptoLocker "Your personal files are encrypted!" removal guide
CryptoLocker is a ransomware virus created by Cyber criminals. This virus is being distributed using exploit kits which infiltrate user's computer using security vulnerabilities in out-dated software. Most common source of exploit kits are infected email messages, malicious websites and drive-by downloads. Notice that as exploit kits rely on out-dated software to infiltrate one's computer, keeping your operating system and all of the installed programs up-to-date could highly decrease the risk of getting one's PC infected with such ransomware viruses.
After successful infiltration CryptoLocker encrypts files on the infected machine and demand to pay a ransom of 300 USD or 300 Euro in order to unblock the computer and decrypt the files. Cyber criminals are demanding to pay the ransom using Ukash, cashU, MoneyPak or Bitcoin. Notice that paying this fine would be equal to sending one's money to Cyber criminals and there are no guarantees that your files will ever be decrypted. In ideal situation owners of the infected computer should remove this virus and should recover their files from the backup.
CryptoLocker encrypts various types (.doc .xls .ppt .eps .ai .jpg .srw .cer) of files found on the compromised machine. Notice that while the removal process of this virus is not very complicated at the time of writing this article there are no known tools which could decrypt the encrypted files. Nowadays ransomware viruses are becoming more complex and due to encrypting capabilities it's especially important to have backups of your files. To eliminate CryptoLocker use the provided removal guide.
Message presented in CryptoLocker Virus:
CryptoLocker "Your personal files are encrypted!"
Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet, the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD/ 300 EUR / similar amount in another currency.
Click "Next" to select the method of payment and the currency.
Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
Screenshots of CryptoLocker:
Notice that at the time of writing this article there are no known tools which could decrypt the files encrypted by CryptoLocker. We will update this article as soon as there will be more information regarding the decryption of the compromised files.
CryptoLocker virus removal:
Windows XP and Windows 7 users: During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press "5" to boot in Safe Mode with Command Prompt.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account that is infected with CryptoLocker Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries that it detects.
If you can't start your computer in safe mode with networking, try doing a system restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. When command prompt mode loads enter the following line: cd restore and press ENTER.
3. Next type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available restore point and click "Next" (this will restore your computer's system to an earlier time and date, before the this ransomware virus infiltrated your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date download and scan your PC with a recommended malware removal software to eliminate any left CryptoLocker files.
If you can't start your computer in safe mode with networking (or with command prompt) you should boot your computer using a rescue disk. Some variants of ransomware disables safe mode making it's removal more complicated. For this step you will need access to another computer.
Other tools known to remove this ransomware virus: