CTB Locker ransomware: restore encrypted files

Although the encryption of data by CTB Locker virus is impossible to break without the criminals-owned secret key, there are some recovery tips and tricks.

What is CTB Locker?

The algorithm called “elliptic curve cryptography” had never been a problem to computer users before the CTB Locker ransomware emerged. This cryptosystem is abused by cyber threat actors to completely deny the accessibility one’s most important files, which is grounds for further demands of a ransom. The CTB part stands for “Curve-Tor-Bitcoin”, which tells a lot about this sample. Aside from the use of the aforementioned data scrambling standard, the perpetrators take advantage of anonymity features delivered by The Onion Router technology as well as the Bitcoin cryptosystem. A peculiar characteristic trait of this breed of malware is that it is a so-called “RaaS”, which is an acronym for Ransomware-as-a-Service. Anyone with basic computing skills, time on their hands and bad intensions can pay several thousand dollars and get a build of this ransomware on darknet forums. This is a counterpart of affiliate networks out there, but a malicious one.

CTB Locker alert
CTB Locker alert

When hit by CTB Locker, which may be also referred to as CTB-Locker, Windows users cannot possible overlook the symptoms. The harmful code detects the totality of potentially important data on the machine and applies the ECC crypto to make a mess of every such file. To figure out which files to encrypt, the Trojan traverses all local and removable data repositories and compares the extensions of encountered entities against a built-in database of widespread extensions. The encrypted items cannot be opened with the programs that are usually configured to process them by default. Nor can the victim install any third-party software to reobtain access to the information.

CTB Locker requiring payment
CTB Locker requiring payment

The warnings that CTB Locker displays are splashy enough to peruse the details of the attack. In particular, the infection displays a piece of graphics named “AllFilesAreLocked.bmp”, which says, “Your personal files are encrypted by CTB-Locker. Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. You only have 96 hours to submit the payment. If you do not send money within provided time, all your files will be permanently crypted and no one will be able to recover them.”

Every word in that alert is true. The same text is also provided in DecryptAllFiles.txt and a random-named HTML document. The user is eventually told to follow a Tor link and visit the decryption page, which usually demands 0.5-1 Bitcoin for the private key. The amount, however, may be much bigger and reach 8 or even 10 Bitcoins. The victim can have up to 5 files restored for free.
In late winter 2016, a new edition of CTB Locker appeared that encrypts the content of websites and extorts 0.4 Bitcoin from webmasters to recover from the predicament. In the course of these attacks, the offending program also replaces index.php of a targeted site with a rogue one. This is a unique edition of ransomware – no similar samples have been spotted to date.
No matter which variant of this Trojan you have run into, do not pay the ransom right away. First, be sure to try some alternative restore methods that might help in some cases.

CTB-Locker removal

By removing this ransomware, you can ascertain it will not do any further damage. The linked-to automated cleanup tool is capable of detecting malicious executables of all known crypto viruses and obliterating the entirety of their harmful components. One thing to keep in mind, though, is that the data left behind will stay inaccessible until the appropriate recovery measures are adopted.

1. Download and install CTB-Locker virus remover. Run the suite and click Start Computer Scan.
Download CTB Locker virus remover
2. As soon as the scan report is ready, make sure all the malicious entries on the list are selected and click Fix Threats to get the cleaning job done.

File recovery how-to’s

Now that you have taken care of the offending code proper, it’s high time you tried to restore the scrambled files. Regular data backups prior to the compromise pose the optimal means to reinstate the information. In this case, just use your backup service provider’s appropriate functionality to download the most recent copies of files. If the reserve storage is on a piece of external hardware, simply transfer the data back to your PC.

Unfortunately, some users don’t have a sound backup strategy that would make them resilient to such breaches. If you happen to be in that category, the dilemma is to either pay the ransom or take advantage of the best practices of forensic data restoration. The former modus operandi (ransom) should be your last resort, so try the routines below first.

a) Explore ‘shadows’
As enigmatic as it sounds, this is a completely down-to-earth method that might do the trick in some ransomware attack cases. The idea is to use snapshots of files made by the operating system during critical updates and the addition of new restore points. The applet called ShadowExplorer automates the workflow of finding these previous versions and restoring them to a location of choice or the original folder.

The problem is, some crypto ransomware strains execute the “vssadmin.exe Delete Shadows /All /Quiet” command to disable this Windows service. To see whether this technique can work in your case, go ahead and do the following: download ShadowExplorer, install and launch it. Right-click on a random path, for example, Documents and Settings, select the Export feature and pick the directory to which the contents of this folder should be restored. If this helped, proceed with the rest of your data in the same fashion.

b) Use recovery software
There are solutions that traverse computer drives and connected media in search of obliterated data, and may be able to reinstate it. The reason why tools like Data Recovery Pro can be useful in ransomware-related predicaments is that some of these Trojans erase original versions of files, leaving their enciphered copies on the hard disk. If that’s the case, the above-mentioned application will scan the machine, list all recoverable entries in the scan report, and let you get those items back. Be advised it’s critical to remove the virus for good before you get down to this workaround.
Download Data Recovery Pro
Data Recovery Pro

Double-check for CTB Locker remnants

Do not leave anything to chance when dealing with ransomware. Unless removed efficiently, these threats can relaunch the crypto attack and scramble everything you’ve been struggling to restore using the above methods. To add insult to injury, ransom Trojans may be accompanied by other infections, such as banking malware that steals victims’ sensitive credentials. One way or another, rescan your system to make sure you’re good to go.

Download CTB-Locker ransomware virus remover

Leave a Reply

Your email address will not be published.