CTB Locker ransomware or how to decrypt encrypted files
CTB Locker ransomware (that sometimes goes under the name of Critoni or CBT Locker as well) was first noticed in July of 2014.This virus aims to encrypt various files and asks for a ransom in order to decrypt them. Almost all versions of Windows, including Windows XP, Windows Vista, Windows 7, and Windows 8 can be affected by this ransomware. Exclusive attribute of this malware is that it communicates with the Command and Control server over TOR. Interesting fact – everyone can purchase CTB Locker online for around $3,000 United States dollars. For that amount of money you will get the basic kit and a full support from developers of CTB Locker on how to setup everything right. This means that a lot of versions of this virus with a different appearance can be out there. The malware got changed couple times since starting, though anti-malware tools like Spyhunter, malwarebytes are capable at detecting and removing it before it installs itself.
All files encrypted by Critoni are set to CTBL format and are not available to be opened. Once installed, this ransomware will scan your computer to find out what files you have on it and then encrypt the larger part of them (not necessary all of them). What happens next is that a large window is displayed on your screen. It looks like this (see below). It will state that your personal files are encrypted and if you want them back, you will need to pay a ransom of about $120 United States dollars. Payments are done using Bitcoin payment system.
If your computer is infected with Critoni, you should be able to see a folder with a random name in the %Temp% folder on your computer. This malware will be started every time you log in to your system. CTB Locker uses elliptical curve cryptography to encrypt users’ files and that is quite a unique way to perform this. Once CTB Locker is done scanning your system and encrypting files, you will be shown a message with instructions how to pay the ransom. Furthermore, your wallpaper will be changed to the %MyDocuments%\AllFilesAreLocked .bmp file, where you will find a detailed information how to pay the ransom. Other files, that will also be created and accessible for a user – %MyDocuments%\DecryptAllFiles <user_id>.txt and %MyDocuments%\.html. There you will find the information needed to get to the malware’s official website and complete the payment. Because intercourse with Command and Control server is executed exceptionally only through the TOR and not the Internet, it is more complicated to law enforcement to track this ransomware. However, it is not impossible. You should also know that every single time you reboot your system, CTB Locker malware will copy itself with new and random names in %Temp% so it is possible to find tons of strange-looking files out there.
Now, the first step when you realize that your computer is infected with Citroni ransomware – scan your system with a trustworthy anti-malware, such as Spyhunter or malwarebytes. The sooner – the better. It is really difficult to indicate this malicious application on your computer until the screen with the message that your files have been encrypted shows up so it would be wise to scan your computer once in a while to prevent this happening. However, if your files are already encrypted, you can still scan PC and at least remove the infection so no new files are generated every time you restart your Windows. In case you want to perform this manually, you need to remove all executables from the %Temp% folder and remove the hidden job in the Windows Task Scheduler. Notice, that this will only remove the virus and no files that are already encrypted will be decrypted. At the moment there is no known method to decrypt files encrypted by CTB Locker. There are a lot of tools developed to decrypt files encrypted by other malware, but they are not capable to decrypt files encrypted by CTB Locker. There are only two ways to retrieve your encrypted files – either pay the ransom or restore files from a backup. Open %MyDocuments%\.html file to find out which files were encrypted and need to be restored.
The message by CTB locker looks like this:
Your personal files are encrypted.%f0%%c0%
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
If you see the main locker window, follow the instructions on the locker. Overwise, it’s seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files.
1. Type the address %c1%http://torproject.org%c0% in your Internet browser. It opens the Tor site.
2. Press ‘Download Tor’, then press ‘DOWNLOAD Tor Browser Bundle’, install and run it.
3. Now you have Tor Browser. In the Tor Browser open the %c1%http://%onion%/%c0%.
Note that this server is available via Tor Browser only.
Retry in 1 hour if the site is not reachable.
4. Write in the following public key in the input form on server. Avoid misprints.
5. Follow the instructions on the server.
These instructions are also saved to file named DecryptAllFiles.txt in Documents folder. You can open it and use copy-paste for the address and the key.
How to decrypt encrypted files
As we have mentioned before, there is no possibility to decrypt files that have been decrypted by CTB Locker. If you are not going to pay the ransom for the cyber criminals, you can restore your files from a backup. There are several ways to accomplish that.
The best option is to simply restore all system settings and settings from a Windows backup. However, it is possible only if you set up a backup before. If you didn’t performed this before, you will not be able to do a system restore. Even if you have a valid restore file, it might be not possible to retrieve lost files, if the directory they are stored in is not covered by Windows backup (you can choose that in settings).
The following method can be quite effective as well. CTB locker does not just encrypt the file – it makes a copy of it, encrypts it and then deletes the original file. For this reason, you can use particular software to restore lost files. For example, R-Studio or Photorec could perform this task. If you are wondering why it’s not recommended to wait long after CTB locker gets on your system, it’s because the longer you wait, the harder it will be to file restore programs to retrieve your deleted and un-encrypted files.
Shadow Volume Copies
In case you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. CTB Locker usually tries to delete all possible Shadow Volume Copies, but sometimes it fails to accomplish this. It is worth mentioning that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.
Native Windows Previous Versions
Just right-click on an encrypted file and select Properties>Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Just choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program and on the left top corner select the drive where there is a stored the file you are looking for. Next you will be shown all folders on that drive. To retrieve a whole folder, right-click on it and select the option “Export” and choose where you want it to be stored. That’s it.
How to restore files that have been encrypted on DropBox
If you used to store your files on a DropBox (most common, web-based file storing service) and they have been encrypted as well, you can use a few tips listed below.
To retrieve encrypted files on a DropBox, simply login to your account on the DropBox website. Then navigate to the folder where there is the file that you want to retrieve stored. Right-click on the file and select a Previous versions option. Now you will see all available previous options of a given file (like in Shadow Volume Copies). Select the desired version and click Restore button.