Cryptolocker Removal, File Decryption and File Recovery

Cryptolocker removal is relatively easy and fast. There are several major removal programs that will automatically remove cryptolocker for you. The hardest part of this process is file recovery so before we get into things too much:

BACKING UP YOUR SYSTEM IS THE MOST IMPORTANT DEFENCE AGAINST VIRUSES & HARD DRIVE FAILURE.

Without backups, just removing the virus will only allow you to get windows back running correctly but NOT get back your encrypted data.


Bridge IT recently gave advice on cryptolocker for NBN News.

What is cryptolocker?

Cryptolocker, or crypt0l0cker, is a ransomware trojan that encrypts your data and holds it for ransom.

How does cryptolocker infect my computer?

It usually comes in the form of an email attachment like a PDF,EXE, ZIP file. The email will be written to create panic eg speeding fine, crazy power bill price, or it could be something as simple as a resume for a job application. Once you click on the link/attachement the ransomware starts to work in the background, encrypting your data file by file, deleting the original, until the point that all your files are encrypted.

How do I know if I have cryptolocker?

Here are a few images of messages that you may see if you have been infected. These things change all the time so you might see something different. The concept will be the same though.

Can I prevent getting Cryptolocker?

Yes! Other than keeping your antivirus up to date there are some great tools to combat cryptolocker style viruses. Bitdefender have a free cryptolocker tool to defend these ransomware attacks.

Cryptolocker Decryption Tools

IMPORTANT! Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files. Any reliable antivirus solution can do this for you.

If you have a new version of Cryptolocker, chances are, the tools wont work on your files. It’s usually only older variations that work. Check out the major antivirus websites for the latest tools.

Your Managed IT Services journey starts here!

Book A Managed It Services Appointment

A few things to note:

Alarm bell #1. The AFP issuing a driving fine?
Alarm bell #2. How would the AFP get your email address?
Alarm bell #3. If you hover your mouse cursor over the link, you would expect to see a government web address that looks like this : https://www.afp.gov.au/etc,  but in this case, you see a random web address.

Most people delete the email on the spot but there are an alarming number of people who panic and follow the link.

What happens if you click the link?

Once the page loads, the victim is presented with a captcha challenge, and when it is entered they will download a zip file containing an executable file which is a variant known as the cryptolocker virus. Game over!

The Cryptolocker virus will then encrypt your files, all of your files, and display ransom message with instructions on how to make payment to be able to recover the encrypted data.

Can I prevent getting Cryptolocker?

Yes! Other than keeping your antivirus up to date there are some great tools to combat cryptolocker style viruses. Bitdefender have a free cryptolocker tool to defend these ransomware attacks.

How to get your data back

After removing the cryptolocker virus, the next step is to recover your data.

Option 1 – Restore data from your backup 

If you backup regularly, you’ll be thanking your lucky stars. It’s as simple as restoring your backup data. Replace the encrypted files with your backup files.

After you restore you files we recommend backing up again and reinstalling your operating system just to be sure there are no back doors left open.

Option 2 – Check for a shadow copy of your files

Right click on the file, go to properties, go to Previous Versions and see if there’s a file to restore. (these are usually deleted by the trojan but check anyway)

Option 3 – Resign yourself to the fact that you have lost your data

Let’s be clear. These files have stronger encryption than internet banking and, at present, there is no way to decrypt them. Back it up (in case someone discovers how to decrypt them in future) and reformat your computer.

Option 4 – NOT RECOMMENDED – Pay the ransom

Bridge IT does not recommend paying the ransom. There are no guarantees that you will ever see you money or data again.

We have had a couple of clients pay the ransom. Fortunately they all worked but still ended up costing a lot of time and money.

Here are the steps that were followed.

Step 1: You are asked to install TOR Browser (it’s like a private/secure browser)

Step 2: and go to a specific web address.

Step 3: Payment instructions come up on the screen. The payment is made in Bitcoin (kind of like black market money trading). To do this, select a bitcoin trader from the list, set up a payment (you enter how much you will be depositing and who it’s going to be sent to – an account is provided in your ransom letter) You then get 2 hours to make the deposit. My client today had no other option but to pay. We made a deposit into a Commonwealth Bank account owned by the Bitcoin trader (about $750). You receive an email notification from the bitcoin trader within 10 minutes of depositing the money with a notification that it should be transferred to the “bad guys” within an hour.

Step 4: Back in the Tor browser there is a button that allows you to refresh the page and check that the payment has cleared. Once cleared, it automatically runs a program that shows a decrypt button. Click that and it starts to run. There is a notification that it can take up to 4 hours.

Step 5: A message is displayed letting you know that the files have been decrypted and a restart is necessary. Your files should now be back to normal.

Step 6: Time to do virus and malware scans. Best to get an IT professional to do this. Alternatively, the safer option is to back up your data and do a fresh install of your operating system.

Step 7: BACK UP YOUR DATA! It goes without saying that you should be backing up your important data as a regular routine. Photos, tax documents etc etc. Do you have a disaster recovery plan? What happens if there is a fire? Do you have an off site/cloud back up?

Do you need help with cryptolocker?

This is a very nasty piece of software. If you decide to pay the ransom, there is no guarantee that the recovery process will work. There are a few things that we can do to try and get some of your data back. Eg. Dropbox files will be encrypted but dropbox has a disaster recovery option that allows you to restore older versions of files. You may also have a shadow copy of your files on your drive. The best thing you can do is turn your computer off immediately and call us. (there’s a chance the software may not have activated if you turn it off immediately) We can help you with options, the clean up process or taking you through the payment process should it get to that.

Please take care and share this with your family and friends. Hopefully it will save someone from suffering as some of my clients have.

Managed It Services Brisbane