How to Recover CTB Locker Files
CTB Locker (Curve-Tor-Bitcoin Locker), Critoni ransomware or CTB Locker_Critoni virus. Similar to CryptoWall, HowDecrypt and CryptoLocker. CTB Locker targets PCs running Windows OS. It has been released in July 2014. Although, there is a second wave that emerged in April 2015 with an updated code. CTB Locker is almost identical to CryptoLocker. However, there are some changes, for example: the name, the use of elliptical curve cryptography and communication through TOR to the command server. Unfortunately, still, there is no way of decrypting the files encrypted by CTB Locker.
When running, CTB Locker will situate itself as a random .exe in the %Temp% folder and create a task in the Task Schedule in order to start on every boot. CTB Locker starts encrypting data files stored on local or mounted network drives using elliptical curve cryptography.
CTB Locker will switch your wallpaper to %MyDocuments%\AllFilesAreLocked <userid>.bmp file, which contains instructions on how to pay the ransom. Also, it creates files [user_id].txt [random name].html in MyDocuments\DecryptAllFiles . Those files have instructions explaining how to access the payment site. On every reboot, the ransoware will create another random-name copy in %Temp% folder and create a new launch task. The latest version of Critoni will also decrypt five random files to prove that the decryption works.
If you`re infected, SpywareTechs.com recommends to download SpyHunter to disable the active infection. Although, note that the removal of the virus will NOT decrypt your files. Still, there is no way of decrypting the files encrypted by CTB Locker. There is a small chance that the encrypted files could be restored.
Once you get rid of CTB Locker (see how to remove CTB Locker in our article), you can try to recover your files using the limited methods below:
How to Recover Files Encrypted by CTB Locker:
*Please note that, there is no method of decrypting the files encrypted by CTB Locker. The ransomware could also remove your Shadow Volume Copies. Then, unfortunately, the only way would be to restore your files using a backup copy.
You can still try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as CTB Locker may also delete the shadow copies.
1. How to Restore Files Using the Shadow Copy Service:
Method 1. Using Windows Previous Version tab:
*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.
- Right-click on the encrypted file, select Properties from the menu.
- Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
- Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.
The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.
Method 2. Using Shadow Explorer:
Using Shadow Explorer to restore whole folders. You can download the program from the link below: http://www.shadowexplorer.com/downloads.html
Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.
Nevertheless, if you want to be protected from CTB Locker, get SpyHunter!