How To Remove CTB Locker Ransomware Virus And Recover Files

CTB Locker is a virus that encrypts your files using RSA-2048 algorithm and requires you to pay a ransom in BitCoins in order to recover them. Desktop background is modified and ransom notes are created and the file extensions are usually changed to .ctb, .ctb2 or .ctbl. The virus started attacking users back in 2014 but has been updated several times since then and is still active to date. There are several variations of CTB Locker. This ransomware can now be created by anybody who wants to infect users and share profits with the original creators and is now considered a ransomware as a service (RaaS) as well.

The only reliable way to recover your files if you have been infected is to firstly remove the virus completely and then restore your files using the methods described in our guide. You also need to secure your PC by installing a proper antivirus software and preventing threats in the future. Below we have an automatic tool that will remove the threat and protect your computer. You can also follow manual removal steps if you feel confident in editing important system files and settings.


Recommended Method: Download CTB Locker Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is CTB Locker virus?

CTB Locker (also known as Critroni) is a ransomware that encrypts files on the computer and asks for a ransom in order to recover them. It usually shows a ransom note titled “Your personal files are encrypted by CTB-Locker”. Many ransom notes are created across the infected machine, usually named AllFilesAreLocked.bmp or DecryptAllFiles.txt. Randomly named .html files could be created as well. RSA-2048 algorithm is used to encrypt your files. The asked ransom amounts vary because there are many variations of the virus itself.

There are many ways how CTB Locker can spread and infect unsecured computers. Fake UPS or FedEx as well as fax notification emails are used in order to trick victims into opening infected attacments. Usually such attachments ask you to enable macros when opened and then infect your computer immediately. Another very popular way to spread this malware is by pairing it with popular torrent and other P2P networks downloads.

One of the latest distribution methods is through fake Windows 10 update notifications, usually sent out through email. Win10Installer.zip is attached and the virus activates as soon as you open it.

Since this ransomware now shares 70% of its profits with any affiliate, new distribution ways and CTB Locker variations could be expected (currently there have been recorded 3 main updates of this malware).

Here is an example of a fake UPS notification:

Subject: UPS notification
From: United Parcel Service (0511notify (at) ups.com)

 Dear Customer,

    This is a follow-up on your package delivery (tracking number 0p2uYq5RIho). 
    The package contained in the above-mentioned shipment was not accepted at the destination address. 
    Please contact your local UPS office and produce the printed delivery sticker, included in this email attachment. 
    Please note that in case of a failure to contact your local UPS office within 21 days the parcel will be returned to sender.

    Happy to serve you,
    UPS.com

    This is automatically generated delivery status email, please do to reply to it.

IMPORTANT: The ransomware activates as soon as you launch the infected file and starts encrypting your data. It might take some time before it finishes the encryption process and then proceeds to generating ransom notes and deleting the original files. Therefore, if you suspect that you have been infected by this or any other ransomware you should immediately shut down your machine in order to prevent the virus from finishing the encryption. Usually the encryption requires a lot of computer resources: increased CPU, RAM and hard disk space usage are good indicators that you should shut down your computer and proceed to removing the threat.

CTB Locker usually displays the following ransom note:

Your personal files are encrypted

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. 
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. 
If you see the main locker window, follow the instructions on the locker. 
Otherwise, it's seems that you or your antivirus deleted the locker program. 

Now you have the last chance to decrypt your files.

1. Type the address hxxp://torproject.org in your Internet browser.
   It opens the Tor site.
2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle',
   install and run it.
3. Now you have Tor Browser. In the Tor Browser open the hxxp://zaxseiufetlkwpeu.onion
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.
4. Copy and paste the following public key in the input form on server. Avoid missprints.
5. Follow the instructions on the server.

The website displays the following instructions:

Your personal files are encrypted

Payment required.
Server accepts payments in Bitcoin (BTC) only.
1. Pay amount of 0.2 BTC (about of 24 USD) to address - Bitcoin wallet address.
2. Transaction will take about 15-30 minutes to confirm.
Decryption will start automatically. 
Do not: power off computer, run antivirus program, disable Internet connection. 
Failures during key recovery and file decryption may lead to accidental damage of files. 
If you have no Bitcoins press ‘Exchange’.

Finally, the ransomware now started targeting not only user computers but servers as well. If a website is compromised the owners will see “Your personal files are encrypted” warning and a ransom will be required as well.

We strongly discourage you from paying the ransom. Even if the cyber criminals provide you with the decryption key and software you will still leave vulnerabilities in your machine. The attackers will also see you as a paying victim and might target you in the future in order to extort even more money.

Here are some screenshots associated with CTB Locker. There are many variations of this virus so you might see a slightly different version.

     
      


 Manual Removal Instructions:

NB: Removing the virus manually does not guarantee that your computer will not be infected or that there are no other threats present. We recommend using the automatic option instead. Proceed only if you have experience in editing important Windows system files and settings.

Bookmark this page before continuing so you could come back after a restart.

Step 1:

Disconnect your computer from the internet. The best way to do this is simply by unplugging the ethernet cable or turning off the WiFi router that the computer uses.

Step 2:

Reboot your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 3:

Identify the processes associated with this ransomware and end them before proceeding.

Press CTRL + SHIFT + ESC to launch Windows Task Manager (or launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager).

Go to Processes tab.

All currently running processes will be listed.

You will have to scan each process manually.

Start by right-clicking on each of the process and select Open File Location.

A location from which the process operates opens.

Most of the processes are usually harmless and important for the Windows system to function properly. You will have to scan them in order to find out where the virus hides.

Go to virustotal.com and upload the opened file for a scan.

If the scan identifies the file as dangerous, right-click on the process and choose End Process, then delete the file in the location you have opened before.

Repeat this until you have scanned all processes.

Step 4:

Clear your hosts file from any suspicious IPs.

Press and hold Windows () key and click R key to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

“Hosts.ini” will open in Notepad text editor. Delete all entries from the bottom of the file that are not marked by “#” in front of them.

Step 5:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

ctb

Click Find Next.

If you find any registry entries that could be associated with CTB Locker, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

critroni
AllFilesAreLocked

Step 7:

Clean up Windows temporary files.

CTB Locker is known to create a randomly named .exe file and operate from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 8:

Delete CTB Locker task from Windows Tasks folder.

Hold Windows () key and click R key.

Enter the following in the field:

%Tasks%

Click OK.

A folder with all jobs will open. Delete all files that could be generated by the virus.

CTB Locker usually generates a randomly named .job file.

Some of the jobs might be legitimate tasks so do not delete all of them.

Step 9:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

Check for CTB Locker / Critroni decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by restoring the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 3.

Step 3:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a CTB Locker decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *