How To Remove CYR-Locker Ransomware And Recover Files

CYR-Locker is a virus which pretends to be a ransomware but in reality does not encrypt any files. It is a scareware which displays a screen locker asking the victim to pay a ransom in BitCoins in order to recover encrypted files and gives a 24 hours time limit.

The computer functionality is limited by the screen locker and therefore the victim might think that the threat is real. However, there has been no record that any files have been encoded by this virus. This fact, together with an unrealistic and unclear ransom amount, leads to conclusion that the ransomware is either still in development and is being tested by the creators or that it is a simple joke aimed at inexperienced users.

Either way, you should remove this threat as soon as possible in order to make sure there are no vulnerabilities left for future infections. The virus might leave a backdoor and try to infect your computer with a more advanced version later. Also, your personal data might be at risk of getting stolen.

We have prepared a manual removal guide for this threat. However, we recommend using the automatic removal tool listed below. This tool will not only remove the threat completely but also secure your computer in the future by working as a complete antivitus suite. The manual guide is for more experienced Windows users and does not guarantee protection in the future: it only removes the symptoms.


Recommended Method: Download CYR-Locker Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is CYR-Locker Ransomware?

This malware is currently not as dangerous as it looks from the first sight as it only pretends to be a real ransomware. There is no record of any files being encrypted even though it states to implement a strong encryption method. The only damage it causes to the computer is locking the screen with the fake message and preventing the user from accessing the machine as normal. This is solved by simply closing the locker and removing the source of the threat and there is no need to recover any files.

The ransomware displays the following message:

Your personal files are encrypted by CYR-Locker.
Your documents, photos, databases and other important files have been encrypted 
with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret Ineternet server and nobody can decrypt 
your files until you pay and obtain the private key.
You only have 24 hours to submit the payment. 
If you do not send money within provided time, all your files will be permanently crypted and no one will be able to recover them. 
I need money amount from you just 10 millions send through Bitcoin into account: CYR-Locker.
WARNING! DO NOT TRY TO GET RID OF THE PROGRAM YOURSELF. 
ANY ACTION TAKEN WILL RESULT IN DECRYPTION KEY BEING DESTROYED. 
YOU WILL LOSE YOUR FILES FOREVER. ONLY WAY TO KEEP YOUR FILES IS TO FOLLOW THE INSTRUCTION.

The ransom amount is unrealistic and there is no real BitCoin account provided. The virus is poorly coded and the ransom note text is also full of mistakes. Therefore, it looks like either a test version of a serious ransomware coming our later or simply as a practical joke aimed at negligent PC users.

When trying to enter a random decryption key the virus displays the following error:

Invalid key. Do not be tried any decrypt key if you have not be received the unique key from. 
Your personal data will be destroyed immediately if you did it failed many time.

The virus is distributed as a single .exe file and usually common tactics like deceptive spam emails and bundling with P2P downloads are used.

Even though the virus currently does not seem very dangerous, you should remove it as soon as possible in order to make sure that there are no backdoors left for further infections. Having this threat present on your machine also shows that there are vulnerabilities and they should be fixed immediately by using a proper antivirus software. We have an automatic removal and protection tool listed at the beginning of this page. We have also prepared manual removal instructions for more experienced Windows users. However, manual removal only deletes the source of the threat but does not protect your machine from possible future infections.

Screenshots of the virus:

 


 Manual Removal Instructions:

NB: By removing the virus manually you remove the symptoms only and this or any other threat might reappear in the future. We recommend using the tool provided at the top of this page in order to not only remove the virus but also secure your computer from any possible breaches in the future.

Make sure you bookmark this page or open it on another device as a computer restart will be required.

Step 1:

Reboot the computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

If the locker is still being displayed, try ALT + F4 keys in order to close it.

Step 3:

Press at the same time: CTRL + SHIFT + ESC to launch Windows Task Manager.

Alternatively you can launch the Task Manager by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Look for the following process on Processes tab:

CYR-Locker.exe

Right-click on it and choose Open File Location.

A new folder will open with the virus file highlighted.

Go back to Task Manager and click End Process.

Then Delete the file in the opened folder.

Repeat these steps with the following process as well (if found):

10227250.exe

Step 4:

Clean up Windows temporary files as the virus might operate from this folder.

Removing all temporary files is completely safe for your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

Simply select all files and folders displayed in the temporary files directory and delete them permanently by simultaneously pressing CTRL + A and then SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important files.

Press and hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

You don’t need to delete anything here. Just search for any recent changes (by “Date Modified”) in the files. If you see that the files have just been changed, then scan them with virustotal.com and remove if needed. If there are no suspicious changes just leave everything as it is.

Repeat this step with the following three directories:

%LocalAppData%
%ProgramData%
%WinDir%

Remember: delete something only if it has been modified recently and is infected according to VirusTotal scans. Otherwise you might remove critical system files!

Step 6:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and delete them:

CYR-Locker.exe
10227250.exe

Step 7:

This is an additional step to make sure you remove all impact to your system settings made by this virus.

You need to have a relatively recent restore point in order to restore your settings successfully. If you restore a very old restore point some unwanted settings might come back. Also, make sure the restore point has been created before the infection happened.

Restore the old system settings using System Restore.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the infection happened but is not too old.

It will restore your system settings only and will not affect your files.

If you do not see any restore points they might have never been created.

After removing the virus

When you have finished removing the CYR-Locker make sure to protect your computer by installing a good antivirus suite that would identify the threats online and in programs you have downloaded. Also avoid downloading unofficial torrents, illegal cracks or other files from P2P networks.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *