How to Recover CTB Locker Files

How to Recover CTB Locker Files

How to Recover CTB Locker Files

CTB Locker (Curve-Tor-Bitcoin Locker), Critoni ransomware or CTB Locker_Critoni virus. Similar to CryptoWall, HowDecrypt and CryptoLocker. CTB Locker targets PCs running Windows OS. It has been released in July 2014. Although, there is a second wave that emerged in April 2015 with an updated code. CTB Locker is almost identical to CryptoLocker. However, there are some changes, for example: the name, the use of elliptical curve cryptography and communication through TOR to the command server. Unfortunately, still, there is no way of decrypting the files encrypted by CTB Locker.

When running, CTB Locker will situate itself as a random .exe in the %Temp% folder and create a task in the Task Schedule in order to start on every boot. CTB Locker starts encrypting data files stored on local or mounted network drives using elliptical curve cryptography.

CTB Locker will switch your wallpaper to %MyDocuments%\AllFilesAreLocked <userid>.bmp file, which contains instructions on how to pay the ransom. Also, it creates files [user_id].txt [random name].html in MyDocuments\DecryptAllFiles . Those files have instructions explaining how to access the payment site. On every reboot, the ransoware will create another random-name copy in %Temp% folder and create a new launch task. The latest version of Critoni will also decrypt five random files to prove that the decryption works.

If you`re infected, SpywareTechs.com recommends to download SpyHunter to disable the active infection. Although, note that the removal of the virus will NOT decrypt your files. Still, there is no way of decrypting the files encrypted by CTB Locker. There is a small chance that the encrypted files could be restored.

Once you get rid of CTB Locker (see how to remove CTB Locker in our article), you can try to recover your files using the limited methods below:


How to Recover Files Encrypted by CTB Locker:

*Please note that, there is no method of decrypting the files encrypted by CTB Locker. The ransomware could also remove your Shadow Volume Copies. Then, unfortunately, the only way would be to restore your files using a backup copy.

You can still try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as CTB Locker may also delete the shadow copies.

1. How to Restore Files Using the Shadow Copy Service:

Method 1. Using Windows Previous Version tab:

*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.


  1. Right-click on the encrypted file, select Properties from the menu.
  2. Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
  3. Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.

The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.


Method 2. Using Shadow Explorer:

Using Shadow Explorer to restore whole folders. You can download the program from the link below: http://www.shadowexplorer.com/downloads.html


Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.


Nevertheless, if you want to be protected from CTB Locker, get SpyHunter!


John Moore

Owner of SpywareTechs.com. I specialize in malware and spyware removal. Researching new malware threats that emerge on the internet. Computers are my hobby since...well more than 10 years. I posses strong knowledge of computer internals and operating systems. However, I use my skills to join the everyday fight against malware and spyware. Follow me on Google+ to stay updated on how to remove the newest infections.


  1. I am a professional photographer. A few weeks ago my computer was attacked by CTB-LOCKER the one with the black screen and code KEY. Proven Data Recovery has been able to identify the VARIENT of the virus I have. It is – RSA-2048 CTB-Locker encryption virus.
    They want 2,600 for the decryption of 300 image files that this virus has encrypted on a SD CARD. The computer still reads close to 900mb of data on the card and I have been told by multiple sources that there is a chance my images are still there, but I have had no luck and it’s going to take me quite some time to come up with this money so in mean time I am exploring other options and learning more about computers and code than I would otherwise have never cared to.
    It angers me to no end that people can actually even do this. That they can hurt total strangers in this away. Hurt their jobs. Effect their lives just for the sake of doing so and then dangle our data in front of us so we freak out and jump. I refuse to pay this RANSOM and it is frustrating to no end that the supposed GOOD GUYS want WAY THE HELL MORE!! It’s very backwards to me and does not seem right. It is almost impossible to get a simple strait answer from people in this area and there is a lot of double talk and I have bad a couple people remote access my computer and I see them try things even I have tried.
    The files that are blocked were never on my hard drive. I didn’t even have time to make a hard copy. One moment they were find and the next they were encrypted. I have done 2 system restored and a factory restore and computer has updated protection but the files remain locked on my card.
    Is there any effective decryption for CTB-LOCKER – RSA-2048 CTB-Locker encryption virus
    What are the odds? Is it even worth saving all this money for these people? He did ID the variant. Even that came as a shock. It’s all I have to go on. Maybe, if you think you have a solution for me of course I would be willing to work put pay arrangement but I would need to see at lest SOME proof. Maybe do one or two that I can see. There are 300 on the card and I am really quite desperate for this material, or to be told convincingly and enough times that all hop is lost. I am not at that point yet.
    Thanks for your time


    • Hello!
      You could try using shadow explorer. Also there are a lot of people that mentioned using Recuva software could help as well. Otherwise, check these links with a list of some free decryption tools. We hope that you will be able to retrieve your files back. Stay safe!

      link: 1
      link: 2

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.