Crypt0L0cker Virus [Updated]

Also Known As: .encrypted virus
Distribution: Moderate
Damage level: <strong>Severe</strong>

Remove It Now

Description Removal Prevention

Crypt0L0cker ransomware removal instructions

What is Crypt0L0cker?

Crypt0L0cker (or TorrentLocker) is a ransomware infection that infiltrates computers using infected email message attachments (message topics often include: “package tracking”, ”speeding tickets”, “unpaid invoice”, etc.) Note that cyber criminals localise these spam email messages to make them appear legitimate. For example, computer users located in the United Kingdom receive fake email messages claiming to be package tracking messages from Royal Mail, PC users from Australia receive messages from Australia Post, etc. After successful infiltration, this malware encrypts files on victims' computers and demands ransom payments of 2.2 Bitcoin to decrypt them. Crypt0l0cker ransomware (some newer variants use the name CryptoLocker) encrypts all files found on victims' computers except the following: .html, .inf, .manifest, .chm, .ini, .tmp, .log, .url, .lnk, .cmd, .bat, .scr, .msi, .sys, .dll, .exe,  .avi, .wav, .mp3, .gif, .ico, .png, .bmp, and .txt (files needed for normal Windows operation).

Crypt0L0cker virus

Successfully encrypted files receive .encrypted or .enc prefix in dedicated folders containing encrypted files. Crypt0l0cker provides DECRYTP_INSTRUCTIONS.html and DECRYPT_INSTRUCTIONS.txt files with instructions on how to pay the ransom. Updated variants of this ransomware use 6 random letters as an extension for encrypted files. The ransom demanding messages are presented in HOW_TO_RESTORE_FILES.txt and HOW_TO_RESTORE_FILES.html files. This ransomware is targeted at computer users from Australia, Austria, Canada, Czech Republic, Italy, Ireland, France, Germany, Netherlands, Korea, Thailand, New Zealand, Spain, Turkey, and the United Kingdom. This is an updated variant of malware previously known as TorrentLocker. Cyber criminals responsible for creating Crypt0l0cker ransomware use TOR network to collect ransom payments from victims. TOR network ensures that criminals' identities and locations remain anonymous.

Ransomware infections such as Crypt0L0cker (including CryptoWall, TeslaCrypt, and CTB-Locker) present a strong case to maintain regular backups of your stored data. Note that paying the ransom as demanded by this ransomware is equivalent to sending your money to cyber criminals - you will support their malicious business model and there is no guarantee that your files will ever be decrypted. To avoid computer infection with ransomware infections such as this, express caution when opening email messages - cyber criminals use various catchy titles to trick PC users into opening infected email attachments. At time of writing, no tools were available to decrypt files affected by Crypt0locker malware without paying the ransom.

Crypt0l0cker ransomware changes victim's desktop wallpaper:

crypt0l0cker ransomware wallpaper

Screenshot of a folder containing files encrypted by Crypt0l0cker ransomware (files receive .encrypted or .enc extensions):

crypt0l0cker ransomware encyrpted folder

Updated variant of Crypt0l0cker ransomware appends 6 random characters to extensions of the encrypted files:

crypt0l0cker ransomware updated - randomg encrypted file extensions

Cyber criminals have translated Crypt0l0cker ransomware into various languages to target different countries. Here is an example of this ransomware targeting PC users from Korea:

Crypt0L0cker virus targeted at PC users from Korea

Screenshots of Crypt0l0cker ransomware targeting PC users from Germany (adds “wie_zum_Wiederherstellen_von_Dateien.html” and “wie_zum_Wiederherstellen_von_Dateien.txt” files):

crypt0l0cker ransomware germany crypt0l0cker wie_zum_Wiederherstellen_von_Dateien.txt

Screenshot of DECRYTP_INSTRUCTIONS.html file:

Crypt0L0cker decrypt_instructions.html file

Text presented in DECRYTP_INSTRUCTIONS.html file:

WARNING we have encrypted your files with Crypt0L0cker virus. Your important files (including those on the network disks, USB, etc): photos, videos, documents, etc. were encrypted with our Crypt0L0cker virus. The only way to get your files back is to pay us. Otherwise, your files will be lost. Caution: Removing of Crypt0L0cker will not restore access to your encrypted files.

Screenshot of DECRYPT_INSTRUCTIONS.txt file:

Crypt0L0cker decrypt_instructions.txt file

Text presented in DECRYTP_INSTRUCTIONS.html file:

!!! WE HAVE ENCRYTPED YOUR FILES WITH Crypt0L0cker VIRUS !!!
What happened to my files? Your important files: photos, videos, document, etc. were encrypted with our Crypt0L0cker virus. This virus uses very strong encryption algorithm - RSA -2048. Breaking of RSA-2048 encryption algorithm is impossible without special decryption key. How can I get my files back? Your files are now unusable and unreadable, you can verify it by trying to open them. The only way to restore them to a normal condition is to use our special decryption software. You can buy this decryption software on our website.

Website (reachable through Tor network) used by Cyber criminals to collect the ransom (2.2 BTC):

Crypt0L0cker buy decryption website

Samples of infected email messages used in Crypt0L0cker ransomware distribution:

infected email message used in Crypt0L0cker distribution sample 1 infected email message used in Crypt0L0cker distribution sample 2 infected email message used in Crypt0L0cker distribution sample 3 infected email message used in Crypt0L0cker distribution sample 4

Samples of rogue websites used in Crypt0L0cker ransomware distribution:

Website used in Crypt0L0cker distribution sample 1 Website used in Crypt0L0cker distribution sample 2 Website used in Crypt0L0cker distribution sample 3 Website used in Crypt0L0cker distribution sample 4

Screenshot of Crypt0l0cker decryption software (received by the victims who pay the ransom):

crypt0l0cker decryption software

Note that at time of writing, there were no known tools capable of decrypting files encrypted by Crypt0l0cker without paying the ransom (try restoring your files from Shadow copies). By following this removal guide, you will be able to remove this ransomware from your computer, however, the affected files will remain encrypted. We will update this article as soon as there is more information available regarding decryption of compromised files.

Update 15 June 2016 - Cyber criminals have updated Crypt0l0cker ransomware with a new ransom demanding message. Other updates includes the names of the files where the ransom demanding messages are present. The text version of the ransom demanding message is now stored in HOW_TO_RESTORE_FILES.txt file. The HTML variant of the ransom demanding message is now presented in HOW_TO_RESTORE_FILES.html file. Files encrypted by this ransomware continue to get the .encrypted extension. Some newer variants add .enc extension to encrypted files.

Screenshot of HOW_TO_RESTORE_FILES.html file:

crypt0l0cker how_to-_estore_files.html
HOW_TO_RESTORE_FILES.html file content:

WARNING
we have encrypted your files with Crypt0L0cker virus
Your important files (including those on the network disks, USB, etc): photos, videos, documents, etc. were encrypted with our Crypt0L0cker virus. The only way to get your files back is to pay us. Otherwise, your files will be lost.
Caution: Removing of Crypt0L0cker will not restore access to your encrypted files.
To recover your files you have to pay.
In order to restore the files open our website - and follow the instructions.
If the website is not available please follow these steps:
1. Download and install TOR-browser from this link: https://www.torproject.org/download/download-easy.html.en
2. After installation run the browser and enter the address: -
3. Follow the instructions on the website.

Screenshot of HOW_TO_RESTORE_FILES.txt file:

crypt0l0cker how_to_restore_files.txt
HOW_TO_RESTORE_FILES.txt file content:

============================================================
            !!! WE HAVE ENCRYPTED YOUR FILES WITH Crypt0L0cker !!!
============================================================

Your important files (including those on the network disks, USB, etc): photos,
videos, documents, etc. were encrypted with our Crypt0L0cker. The only way to
get your files back is to pay us. Otherwise, your files will be lost.
You have to pay us if you want to recover your files.
In order to restore the files open our website
-
and follow the instructions.
If the website is not available please follow these steps:
1. Download and run TOR-browser from this link: https://www.torproject.org/download/download-easy.html.en
2. After installation run the browser and enter the address: -
3. Follow the instructions on the website.

============================================================

 Screenshots of a website used by Cyber criminals to give ransom demand instructions and communicate with their victims:

"Buy decryption" section:

crypt0l0cker website

Buy decryption and get all your files back
Buy decryption for 499 USD before 2016-06-20 12:41:31 PM OR buy it later with the price of 998 USD
Time left before price increase: 119:59:24 Your total files encrypted: 8300 Current price: 0.77387415 BTC (around 499 USD) Paid until now: 0 BTC (around 0 USD) Remaining amount: 0.77387415 BTC (around 499 USD) Buy Decryption with
1. Register bitcoin wallet
You should register Bitcoin wallet, see easy instructions or watch video on YouTube.
2. Buy bitcoins
Please see recommended bitcoin sellers in your country:
howtobuybitcoins.info - List of places to buy bitcoins in your country.
localbitcoins.com - Buy bitcoin. Fast, easy and safe. Near you.
www.happycoins.com - European Bitcoin exchange with instant payment methods like Sofort, iDEAL, MisterCash.
dagensia.eu - You can get your first Bitcoin with Sofort Uberweisung, SEPA or Bank wire.
www.coinmama.com - Buy Bitcoins with your credit card, Western Union, MoneyGram, Perfect Money and more!
3. Send Bitcoins for decryption software
Send 0.77387415 BTC (around 499 USD) to our Bitcoin wallet address. It is possible to split total amount into several payments.
Our bitcoin wallet address: 1KqrpapPyyvm38cyT7KZydwFVkj8jrP49w
4. Verify payment and decrypt your files
Press "Verify Payment" button and receive decryption software download link.

"Decrypt single file" section:

crypt0l0cker website

Decrypt Single File free
Make sure that decryption is possible, restore one file for free before you buy the decryption
Please select a file to decrypt, website will decrypt only one file
Note: file should not be more than 1 megabyte

"Frequently Asked Questions" section:

 crypt0l0cker website

How can I decrypt my files after payment ?
Buy and download the decryption software
After your bitcoin transaction is verified (it takes 5-10 minutes after payment is done), you will be given a download link for your unique decryption software. Download and run the software on your encrypted PC, decryption process may take up to 4 hours.
Will the decryption software restore my files on network disk(s) ?
Connect encrypted network drive(s) to PC and then run the software
If you have your files encrypted on any network disk(s), you should run decryption software right after you connect the disk(s) to your PC. Software will decrypt all files on your PC, then will decrypt the files on network disk(s).
My files were encrypted more then a month ago, can I still decrypt them ?
It will be impossible to restore files after 1 month
No, your unique decryption software will be deleted after one month period. When it happens no one, including us, can help you restoring your files. All your data will be lost forever.

Crypt0L0cker ransomware removal:

Quick menu: Quick solution to remove .encrypted virus

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Login to the account infected with the Crypt0L0cker. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


DOWNLOAD
Remover for .encrypted virus

If you need assistance removing crypt0l0cker virus , give us a call 24/7:
1-866-983-7844
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. SpyHunter’s free scanner is for malware detection. To remove the detected infections you will need to purchase a full version of this product. More information on SpyHunter. If you wish to uninstall SpyHunter follow these instructions. All the products we recommend were carefully tested and approved by our technicians as being one of the most effective solutions for removing this threat.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Crypt0L0cker ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Crypt0L0cker files.

To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Crypt0L0cker are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Crypt0L0cker you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Crypt0l0cker ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Crypt0l0cker ransomware:

Rocio Suarez

Without any pay, I mean

Rocio Suarez

So, Is it possible to decrypt files encrypted with the Crypt0L0cker ransomware right now?

luca

i can decrypt my file ?
Thanks luca

Phill Stevens

dr web antivirus has a restore tool that can decrypt the .encryption files, cost is around $200 aus for the antivirus for 2 yrs & the tool is included

About the author:

I am passionate about computer security and technology. I have an experience of 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an editor for pcrisk.com since 2010. Follow me on Google+ to stay informed about the latest online security threats.

Our malware removal guides are free. However, if you want to support us you can send us a donation.