Some ideas to restore files encrypted by CTB Locker

Discussion in 'Tutorials & Guides' started by LabZero, Apr 29, 2015.

  1. LabZero

    LabZero Guest

    #1 LabZero, Apr 29, 2015
    Last edited by a moderator: Apr 29, 2015
    First of all what is CTB Locker ?

    It's a ransomware that infiltrates a computer through the use of an exploit which is mainly by exploiting vulnerabilities in outdated software on your system, CTB Locker has the advantage of being unnoticeable to the victim until its work is completed. It analyzes all drives on the machine looking for files with popular extensions, and then encrypts everything what he found with the so-called elliptic curve encryption. Be aware that network shares or external data repositories connected to your PC are subject to such a fate if they are seen as a standalone drive letter. Also the ransomware configures the operating system to enable the executable every time, making sure that it stays up and running. It hijacks the desktop and change the background with a screen that contains the preliminary statements based on what needs to be done to restore the encrypted information.


    Why CTB-Locker is different from other malware ?

    The novelty of this malware is tied to a unique encryption key that is used to render files unreadable. Being the unique key, it is virtually impossible to rebuild it, and is highly unlikely to be able to restore the files.

    Also, if you delete the virus from the computer (with an anti virus or anti malware), don't restore damaged files, but loses to always have the option to recover them, since the decryption private key is removed from the secret server. An eventual removal of CTB-Locker deletes only the payment request. Do not restore files in any way.

    So, what are your options if you're infected ? First of all, there is currently a 100% efficient way to decrypt files different from doing what they want the criminals presenting the ransom. You can remove CTB Locker from your system, but it will not recover data automatically. Cleaning is recommended. Fortunately, there are several solutions and you can try to regain the information encrypted. Read the instructions below to learn more.

    Methods to recover files encrypted by CTB Locker

    Solution 1: use the backup

    Of course it is the best way to recover your files. It only applies, however, if you have the backup of the information stored on your computer.

    I already talked about this topic in my previous post:

    Solution 2: Use file recovery software

    It is important to know that CTB Locker creates copies of files and figure them out. Meanwhile, the original files are deleted. There are applications that can restore data removed. You can use data recovery software for this purpose. The latest ransomware tends to apply secure deletion with multiple overwrites, but in any case it is worth to try this method.

    One program freeware is Recuva:

    But you can also try other alternatives.

    Solution 3: Use the Volume Shadow Copy

    In case you didn't know, the operating system creates so-called volume shadow copies of each file if the Windows System Restore is enabled on the computer. In this way the restore points are created at specified intervals, with snapshots of the files as they appear at the moment that are generated at the same time. This method does not guarantee the recovery of the latest versions of the files but is certainly appropriate to carry out a test anyway. This workflow is doable in two ways: manually and through the use of an automatic solution. Let's first take a look at the manual process.

    Use previous versions

    The Windows operating system provides an integrated option to retrieve previous versions of files. Can also be applied to folders. Just click with the right mouse button on a file or folder, select properties and click the tab named previous versions. Within the recorded versions, you'll see the list of backup copies of the file/folder, with the respective time and date indication. Select the most recent entry and click copy if you want to restore the object to a new location that you specify. If you click the restore button, the item will be put back in its original position.

    Use Shadow Explorer tool

    This work allows you to recover previous versions of files and folders automatically rather than manually. To do this, download and install the Shadow Explorer application. After the execution, select the name of the drive and the date on which the file versions were created. Click with the right mouse button on the folder or file and select the export option. Then just specify where data is to be restored.

    Shadow Explorer:

    Although it is not certain that these solutions work it is advisable to try anyway.

    My conclusions

    What ever says so far is useless if it parts from a basic configuration of your computer secure. This configuration must always provide:

    1. An antivirus always updated.

    2. Anti-Malware software up to date.

    3. The Windows firewall always enabled.

    4. Security on the computer are not useless and harmful programs installed, such as toolbars or extensions for Internet browser (Ask Toolbar and similar).

    5. The existence of a backup copy of data on a normally disconnected support as an external hard drive or a USB pendrive. This support must be logged on to the computer for the time strictly necessary to create or update backups.

    If you use a Cloud system like Dropbox, keep in mind that if your files are encrypted by a malware, are then synchronized with the Cloud. If you compare a ransom request similar to that of CTB-Locker immediately disconnect your computer from the Internet, to protect the files on the server cloud.

    6. A conscious attitude in the use of computers, which pays due attention to the transactions, which avoids distractions during the use of the email and that does not lead you to download programs from the Internet without having carefully checked the source.​

    Remember : They are your data. Protect them. All the time. ;)

    Mod Edit: Formatting
  2. FireShootSK

    FireShootSK Level 17

    Feb 17, 2015
    Student of IT
    Great thread @Klipsh again.

    Maybe I would at you place add link to Noransom by Kaspersky for CoinVault. :) When i test CoinVault, this tool restore 80% of encrypted files.
    LabZero and Sr. Normal like this.
  3. Sr. Normal

    Sr. Normal Guest

    Thanks for the information my young teacher :)
    frogboy and LabZero like this.
  4. CTBLocker Support

    CTBLocker Support New Member

    May 24, 2015
    #4 CTBLocker Support, May 24, 2015
    Last edited: Oct 20, 2015
    When infected CTBLocker file encryption, please add skype ctblocker or Hotline 0432123972 to support :)
    frogboy likes this.