Remove Crypt0L0cker (TorrentLocker / CryptoLocker) Ransomware Virus And Decrypt Files

Crypt0L0cker is a ransomware virus which encrypts personal files and changes their extensions (usually to .encrypted, .enc or six random characters). The virus then asks for a BitCoin payment in order to decrypt the files and make them openable again.

Once the files are locked the virus displays a warning saying “we have encrypted your files with Crypt0L0cker virus” and provides instructions on how to make a ransom payment and contact the creators. The virus also places several ransom notes across the computer usually named either “DECRYPT_INSTRUCTIONS” or “HOW_TO_RESTORE_FILES”. The desktop background is also changed and shows a red warning message with instructions on how to use TOR browser.

Crypt0L0cker is an updated version of another ransomware called TorrentLocker. Since the name change it has seen several updates and the distribution methods have been changing as well. Currently the most common way to spread this malware is email spam.

Even though the ransomware creators promise to give you a decryption tool and a key, there is no guarantee that they will do so. Also, there might be a backdoor left and it can result in further attacks on the same machine. Therefore, we strongly discourage you from paying the ransom. Instead, use our automatic removal and protection tool to eliminate the threat and protect your computer from any infections in the future. We also provide a manual removal guide for more experienced users. However, manual removal does not guarantee that the threat will not come back if you leave your computer unprotected afterwards.


Recommended Method: Download Crypt0L0cker Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Crypt0L0cker (CryptoLocker / TorrentLocker) ransomware virus?

This ransomware virus already has a long history of infecting users’ computers. It uses the same operations as many other similar ransomware: infiltrates the system, encrypts important personal files while working in the background and displays a ransom note when finished. However, it is more successful than many other ransomware types due to many updates and an aggressive distribution campaign.

The virus mostly spreads through email. Most of the mail has the virus attached inside and tries to trick the users into opening the suspicious file by pretending to be an important message from a shipping company, traffic police and similar institutions. Some mail has fake “You have won” messages and links to “Claim the prize” as well. For example, the fake letter might state that you have been fined by an Australian traffic police and you need to open an infringement notice which in reality is the malicious file. Another example is an Italian campaign where the users receive a file called “ENEL_BOLLETA.zip” which is designed to look like it comes from a company called Enel. Since the ransomware distributors are creative there is always a risk of accidentally opening an infected file.

Here are some examples of Crypt0L0cker email spam:

   
Once the infected file is opened (usually it is a .JS or .DOCX file), it immediately launches the executable ransomware file and starts encrypting the files in the background using a strong RSA-2048 algorithm. When the process finishes it changes the file extensions to .7z.encrypted, .encrypted, .enc or 6 random characters (e.g. .ckhrnm) and makes them unopenable. The virus also tries to delete shadow copies of your files in order to minimize the chances of a successful recovery. It infects .exe files on your computer so they would try to delete the shadow copies upon launch.

IMPORTANT: Encryption process takes time and computer resources. Therefore, if you suspect that you have just been infected by a ransomware and you still do not see any ransom note or locked files we recommend that you immediately shut down your computer in order to stop the encryption process. A good indicator that files are currently being encrypted in the background is high CPU and RAM usage as well as randomly named processes in the Task Manager. Have in mind that modern ransomware encrypts only parts of your files to save time so you need to act quick.

After the encryption process finishes a ransom note is shown. First, the desktop background is changed into instructions on how to use a TOR browser. The virus also opens a warning window named “CryptoLocker”. Finally, .txt and .html ransom notes called “DECRYPT_INSTRUCTIONS” or “HOW_TO_RESTORE_FILES” are placed across the system. The file names and ransom notes can be translated in different languages since it has many versions (e.g. a German version would say “wie_zum_Wiederherstellen_von_Dateien“).

English ransom note usually looks like this:

WARNING we have encrypted your files with Crypt0L0cker virus. 
Your important files (including those on the network disks, USB, etc): 
photos, videos, documents, etc. were encrypted with our Crypt0L0cker virus. 
The only way to get your files back is to pay us. Otherwise, your files will be lost. 
Caution: Removing of Crypt0L0cker will not restore access to your encrypted files.

===============================================================================
!!! WE HAVE ENCRYPTED YOUR FILES WITH Crypt0L0cker VIRUS !!!
===============================================================================

Your important files (including those on the network disks, USB, etc): photos,
videos, documents, etc. were encrypted with our Crypt0L0cker virus. The only
way to get your files back is to pay us. Otherwise, your files will be lost.

——————————————————————————-
——————————————————————————-

[=] What happened to my files?

Your important files: photos, videos, documents etc. were encrypted with our
Crypt0L0cker virus. This virus uses very strong encryption
algorithm – RSA-2048. Breaking of RSA-2048 encryption algorithm is impossible
without special decryption key.

[=] How can I get my files back?

Your files are now unusable and unreadable, you can verify it by trying to
open them. The only way to restore them to a normal condition is to use our
special decryption software. You can buy this decryption software on
our website.

The virus has a sophisticated ransom payment website. It is currently accessible only through TOR since the regular address (de2nuvwegoo32oqv.tormilki.li) seems to be offline.

We strongly discourage you from paying the ransom. There is no guarantee that you will receive a decrypter after you make the required payment. Even if you do, there is always a chance that an additional backdoor has been left by the creators and that the ransomware or any other infection will strike again in the future. The criminals will also see you as a paying victim and might try to extort more money later.

We have an automatic removal tool which will remove the Crypt0L0cker virus and protect your computer from any infections in the future. We also provide a manual removal guide for more experienced users who are comfortable with editing important Windows files. However, manual removal only eliminates the symptoms and does not guarantee protection. Therefore, you should secure your computer afterwards even if the virus is not on your computer anymore.

Unfortunately, currently there is no easy decrypter available for CryptoLocker files. However, we have prepared a manual file recovery guide consisting of several methods. The best option is to simply recover your files from backups or shadow copies. However, if you do not have them or they have been deleted by the virus there is professional file recovery software to help you in such case. Please have in mind that you should try getting back your files only after you have fully removed the virus.

Crypt0L0cker (TorrentLocker / CryptoLocker) screenshots:

    


 Manual Removal Instructions:

Remember to bookmark this page in order to access it after you restart your computer while working on the removal process!

Make sure you are an experienced Windows user and understand the risks or editing important files and settings. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system!

Step 1:

Restart your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the Crypt0L0cker virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each process manually.

We recommend not skipping any of the processes as viruses sometimes hide in various processes that look like essential Windows components.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all processes.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Notepad will open your “hosts.ini” file. Delete any IPs that are listed in the end of the file and do not have “#” in front of them.

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

Crypt0L0cker

Click Find Next.

If you find any registry entries that could be associated with VenusLocker, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

CryptoLocker
TorrentLocker

Step 6:

Clean up Windows temporary files.

Crypt0L0cker operates from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 7:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 8:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) or Windows Explorer in order to find the following files and delete them:

TorrentLocker.exe
C:\ProgramData\iwymyzucasakodon\
%StartMenu%\Programs\Startup\system.pif
%WinDir%\{randomname}.exe

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Crypt0L0cker decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Crypt0L0cker decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Crypt0L0cker (TorrentLocker) you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *