How to Recover Files by Removing the CryptoLocker Ransomware

Ransomware as a service (RaaS)

The Cryptolocker ransomware is a malware strain that has evolved over the years and has repeatedly proven to be a diabolical means to extort money from targeted victims. The latest variant, Cryptolocker v3.0 has in this year alone affected hundreds of thousands of PCs and a recent report by a cybersecurity firm collective points to collective profits amounting to over $300 million for the ransomware Trojan’s developers.

The ransomware infects computers by encrypting the user’s data files with a strong measure of cryptography – an RSA-2048 key that is essentially an AES-CBC 256-bit encryption algorithm.

There are multiple ways to get rid of Cryptolocker. We’ll start with the least-technical procedure that will prove useful to those looking who are looking for a quick fix with a complete system reinstall. This may not always work, however. Do have a look at the subsequent methods below if this does not work for you.

Method #1.

  • If you’re using a laptop and find your computer infected, remove the battery immediately. Turn off your mains if you’re using a desktop.
  • Use a recovery software program such as Deft or Kali Linux (for Linux users) to recover all the files from the hard drive.
  • Copy the data to an external hard drive.
  • Wipe the data on your infected hard drive securely by using a software such as Dban.
  • You can also use Clonezilla to create a disk image to completely backup your files, folders and operating system in a snapshot.

Method #2.

This is for those who are adept in looking into and navigating the registry editor on their computer. The following video will detail every step required for you to go through, if you’re infected with Cryptolocker version 2.0

If you’re among the unfortunate many targeted by Cryptolocker 3.0, here are the instructions.

Cryptolocker v3.0 is particularly intrusive in the way it creates multiple files in every encrypted folder, making it an arduous task to get rid of the ransomware. Still, it can be done.

Method #3

The most efficient method to remove Cryptolocker is using the following method along with software such as Roguekiller and Anti-Malware bytes.

The following video will guide you every step along the way:

A comprehensive write-up with instructions can be found here.

Additionally, here’s the link for downloading Shadow Explorer, for recovery.

Once you have Roguekiller installed, proceed to:

  • Kill all running instances of malicious processes by using the scan option and then the delete button.
  • Install Anti-Malware bytes pro to effectively terminate all instances of Trojans from your device.
  • Now, remove all remaining & hidden Cryptolocker Ransomware files. This includes files such as HELP_Decrypt and other suspicious files in Local SettingsTemp &  AppDataLocalTemp, & the roaming directory.
  • Now, restore the Cryptolocker encrypted files using Shadow Explorer for the recovery process.

Steps to restore your encrypted files.

  • Download Shadow Explorer from here.
  • Run the program and select the date from where you choose to restore the copy of your folders and files.
  • Navigate to the folder and after a quick right-click, select Export.
  • Now, specify the destination for your exported data and hit OK. You’re set!

Linux users can again use DEFT, Kali Linux, Helix and other Linux distros to recover data and copy it onto an external HD.

It’s important to remember that most variants of Cryptolockers come from torrents that profess to provide keys for software. It’s recommended to steer clear of them, just as you would when deleting phishing emails seeking money from you.

Credit to Dhritiman Banerjee.