How to remove Cryptolocker and decrypt your files
Got CryptoLocker virus infected your computer and encrypted your files? When you turn on your computer and a black DECRYTP_INSTRUCTIONS.html wallpaper that covers the entire desktop and an offer to decrypt your files in return of payment, it means that your computer have been infected with Cryptolocker virus which is a file-encrypting ransomware.
This is just an example. Your message can look differently.
In this article we'll show you the ways to remove the infection itself and recover your files.
What is CryptoLocker Ransomware?
Cryptolocker is a malware program, created by cyber criminals, which encrypts files on your computer and offers a decryption in exchange of payment or so called ransom. This type of malware is called Ransomware. It is well known that Cryptolocker can infect any operating system version and revision (Windows XP, Windows Vista, Windows 7, and Windows 8). Keep in mind that infection itself is not very hard to remove, decryption of files, on the other hand affected by this malicious program is impossible without paying the ransom. This is why it is always a good practice to keep a fresh backup copy of your files.
How did Cryptolocker malware get on my computer?
The Cryptolocker ransomware virus might infect your computer when you browse through suspicious websites or reliable websites, which are compromised by cyber criminals, infected email messages or fake downloads. In some cases Cryptolocker malware might be installed along with a free software program downloaded from internet. When CryptoLocker ransomware is installed on your computer it creates an executable in the %AppData% or %LocalAppData% folders. This executable will be launched in order to scan all the drives on your computer for data files to encrypt. While encrypting your files, this ransomware also creates a ransom note named DECRYPT_INSTRUCTIONS.txt and puts it in each folder that a file has been encrypted. Your Windows desktop wallpaper will also be changed to DECRYPT_INSTRUCTIONS.html. Both the wallpaper and the text ransom note will contain the same information on how to access the payment site and get your files back.
Is it possible to decrypt files encrypted by CryptoLocker?
No, at this time it's not possible. CryptoLocker is noteworthy due to the encryption method - it uses AES-265 and RSA encryption. The RSA public key can only be decrypted with its corresponding private key. Since the AES key is hidden using RSA encryption and the RSA private key is not available, decrypting the files is not possible. Due to the length of AES encryption key, brute forcing the decryption key will take too much time, this is why this decryption method can not be considered. So unfortunately, once the CryptoLocker encryption of the data is complete, decryption is not possible without paying the ransom on Decryption Service site. Note that paying the ransom as demanded by this ransomware means sending your money to cyber criminals and supporting their criminal goals. And what is more important there is NO guarantee that your files will ever be decrypted. Therefore, the ideal solution is to remove this ransomware virus and then restore your data from a backup.
How to remove the CryptoLocker ransomware
There are a few ways to remove Cryptolocker from your computer. First, we will remove the malware itself:
If your computer failed to start in Safe Mode with Networking, try to perform a System Restore following these steps below:
In some cases ransomware virus disable Safe Mode making removal process more complicated. That is why in sometimes Safe mode option might not be available. In that case you should try using a Windows Installation DVD to restore your system to a previous date and time.
How to restore your files encrypted by Cryptolocker
Second, once the removal of ransomware program is complete, you need to restore your files. As it was mentioned above, it is impossible to decrypt files which have been encrypted by Cryptolocker, which is why we'll use Shadow Explorer to extract your files from a shadow copies, created by Windows Operating System by default. So, what is ShadowExplorer? It is a software program which allows you to browse the Shadow Copies created by the Windows Vista/7/8 Volume Shadow Copy Service. You can download ShadowExplorer from the link below:
Once you have downloaded and installed ShadowExplorer, run this program (from your Start menu or a Desktop icon). You will see a window showing files stored in Shadow copies. Choose the correct Drive letter, from which you want to restore your files. Locate the files or folders, you want to restore, right mouse button click it and select Export from the drop down menu. You will then be prompted to select a folder, where to restore these files, pick or create one. After the restore is complete, feel free to use your files at your own convenience.
What to do to avoid being infected with Cryptolocker ransomware?
To avoid computer infection with ransomware virus, stay on guard when opening email messages, since cyber criminals use catchy titles to trick into opening infected email attachment. Always watch link address when browsing internet. And, of course, watch, what you are downloading from the internet or P2P network. Cyber criminals can mask their ransomeware viruses with legitimate downloads (for example flash player update). In order to protect your computer in the future, It is a good practice to use reliable antivirus and anti-spyware programs.
Hope this article helped you to resolve your issue. Good luck.