Decrypt CTB Locker – how to remove ransomware

CTB Locker works the same as the other ransomware family representatives, such as TeslaCrypt Ransomware, CryptoWall Ransomware, Locky Ransomware, Cerber Ransomware, etc. Usually, the difference is only in the size of ransom crooks clamor for. CTB Locker is spreading through the web with spam emails attachments or in bundles with other free popular software, which all of us love to download without pay attention to the sources’ reliability. Once got in the victim’s system, CTB Locker encrypts all important files and start to demand the ransom in exchange for a promise to bring all back to the normal state.


decrypt CTB Locker
CTB Locker alert

CTB Locker – how it works?

If the ransomware infected your PC, you may lose the files with such extension as doc, docx, jpeg, jpg, pptx, psd, raw, rtf, rw2, rwl, xls, xlsx, etc. Moreover, this locker is able to communicate with its Command and Control server via the TOR browser. CTB Locker is capable with all major Windows versions, such as Windows Vista, Windows XP, Windows 7, 8 and 10. You can assure in the ransomware presence on your PC by checking the %MyDocuments%\.html file.

After CTB Locker encrypts your data, it will show you a warning message about it and the “instruction” on how to get encrypted files back. Such hackers’ guides are all about how much you should pay to them to decrypt CTB Locker. Often the access recovering equals to $120 in a form of Bitcoins.

remove CTB Locker
CTB Locker Instruction

CTB Locker is quite old ransomware representative, which was renewed in 2015. In spite of this fact, crooks are very flexible and apply the different approaches from time to time, so that’s why it’s hard for security experts to block CTB Locker once and forever. In the latest update, the fake CTB-Locker version appears – an CTB-Faker. This program has been developed by the amateur hackers and looks absolutely like real, but it doesn’t make the same things in the victim’s system. CTB-Faker uses WinRAR functionalities, which offers an easier method to ensrypt the files – they are compressed and stored in archives protected with the password. Of course, only the crooks who developed CTB-Faker have access to these passwords. Usually, they ask for $50 for the files decryption.

CTB-Faker removal
Fake CTB Locker

Fortunately, cyber security specialists have already found a way to unblocked this virus-generated archives by using the p4w1q3x5y8z code – but, it doesn’t mean that computer users will be safe. It just mean that we should expect for the new hackers’ tricks very soon.

How to decrypt files encrypted by CTB Locker?

The first thing that you should be prepared for is that even if you pay the ransom, it doesn’t mean that crooks will really decrypt your files. By honestly following the CTB Locker instruction, you can just lose the money and get nothing back.

So, the security experts recommends you two things related to the ransomware attacks:

  1. If your files are already encrypted, don’t pay the ransom. Try to get your files by restoring them from a backup.
  2. Stay always ready for the attack. Make backups regularly and pay attention to the CTB-Locker prevention.

Restore encrypted files with System Restore option

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP

  • Click Start → Shutdown → Restart → OK.
  • When restart will be completed, press F8 multiple times and you’ll see the Advanced Boot Options window.
  • Select “Command Prompt” from the list you’ll see there.
decrypt files on windows 7
Enable Safe Mode with Command Prompt on old Windows versions

Windows 8 / Windows 10

  • Press the Power button at the Windows login screen. Hold the Shift on your keyboard, and click “Restart”.
  • Choose Troubleshoot → Advanced options → Startup Settings and finally press “Restart”.
  • When restart will be completed, select “Enable Safe Mode with Command Prompt” in Startup Settings window.
decrypt files on windows 10
Enable Safe Mode with Command Prompt on Windows 8,10

Step 2: Restore your system files and settings

  • Enter cd restore in the Command Prompt window and click “Enter”.
  • Type rstrui.exe → “Enter”
  • Click “Next” in the new window and choose your restore point that is prior the infiltration of CTB Locker. Then, click “Next”.
  • Click “Yes” to start system restore.

Step 3: Scan your system with antimalware software to be sure that there aren’t any malicious elements in your system which CTB Locker may installed:

Anti-Malware Tool from GridinSoft

Restore CTB-Locker infected files with Shadow Volume Copies

You can use shadow copy snapshots instead of utilizing the System Restore on your Windows. Shadow Volume Copies are available on such Windows operating system versions, as XP Service Pack 2, Vista, 7 and 8. To use this option, you can choose one of two methods:

  • Native Windows Previous Versions

    Right-click on an encrypted file → Properties → Previous versions tab. Choose the version of the file that you wish to get. Click Copy to save the file to your own directory, or Restore to replace encrypted file.

  • Shadow explorer

    Find the Shadow explorer online or portable version – it’s free. Open the program → Select the drive with the stored files → Choose the “Export” to retrieve a whole folder, and the new place to store it.


How to prevent CTB Locker attack

To make sure, that you’re protected from the ransomware attack, use the following tips:

  1. Don’t open suspicious spam letters. No way. Be very careful with your downloads. Download and install software preferably from its official website.
  2. Use the vaccine against the locker infection. GridinSoft Anti-Ransomware will keep your system safe from the future attacks.
  3. Do backups of your important files regularly. Storing your really important files in few different places is a good decision too.
  4. Keep your system free from adware, hijackers and PUPs – the computer which is already infected will be more likely infected with other malicious software, and ransomware is not an exception in this case.
  5. Don’t panic. Remember that we attract what we are afraid of in our lifes.
Gridinsofr Anti-Ransomware
Keep protection enabled to prevent extortion

Leave a Comment

*