Your Personal Files Are Encrypted-CBT Locker (Critoni Ransomware)

your personal files are encrypted

If you are seeing  “Your personal files are encrypted” message – you are in a big trouble!

Ransomware is a category that includes infections that block or encrypt the files on users’ computers, and ask for a payment to be made in order for users to be able to retake control over their files. In the case of CBT-Locker (Critoni) Ransomware, you will be presented with a message placed on your whole screen which will appear every time you turn your PC on. The message will state that your personal files have been encrypted and that you need to buy a decryption key if you want to see your files again. With the infection on your PC, you will not be able to do anything, which requires to take measures for its removal immediately.

CBT-Locker (Critoni) Ransomware may enter the system just like any other infection. It can arrive alongside some dubious downloads acquired at unreliable websites. You can come across these after clicking pop-up ads promoting updates for Flash Player, Java, and other software. Ransomware can also be distributed using spam email attachments, so it is preferable if you avoid opening emails from unknown senders carrying attached files. It is important to remember that if you want to prevent infecting your system with CBT-Locker (Critoni) Ransomware, you should practise safe browsing.

You will notice a countdown timer in the message displayed by CBT-Locker (Critoni) Ransomware. This is used to urge you to make the payment sooner, although there is no evidence for any consequences if you do not purchase the decryption key within the time limit. It would be best if you do not purchase it at all because it does not eliminate the infection, which means the same situation may occur again. Moreover, you will be giving your money (or bitcoins as required by the infection) to malicious parties, which is as good as being robbed. To prevent data and money loss, we strongly advise you to run standard file backup now and again, and to make sure CBT-Locker (Critoni) Ransomware is removed from the system for good.

How to Remove CBT Locker?

from Windows 7 

  • Make sure you do not have any floppy disks, CDs, and DVDs inserted in your infected computer
  • Restart the computer
  • When you see a table, start tapping the F8 key every second until you enter the Advanced Boot Options

kbd F8

  • in the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER.

safe-mode-with-networking

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

  • A dialog box should open. Type iexplore www.virusresearch.org/download-en

scanner2

  • your Internet Explorer will open and a professional scanner will start downloading
  • Follow the instruction and use the professional malware removal tool to detect the files of the virus.
  • After performing a full scan you will be asked to register the software. You can do that or perform a manual removal as shown in step 2

from Windows 8

Start Your Computer into Safe Mode with Networking

  • Make sure you do not have any floppy disks, CDs, and DVDs inserted in your computer
  • Move the mouse to the upper right corner until the windows 8 charm menu appears
  • Click on the magnifying glass

win-8-advanced-settings

  • select Settings
  • in the search box type Advanced
  • On the left the following should appear

advanced-startup-options-win-8

  • Click on Advanced Startup Options
  • Scroll down a little bit and click on Restart Now

advanced-startup-restart

  • Click on Troubleshoot

troubleshoot

  • Then Advanced options

advanced-options

  • Then Startup settings

startup-settings

  • Then Restart

restart-win-8

  • When you see this screen press F5 – Enable Safe Mode with Networking

f4-win-8

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

  • A dialog box should open. Type iexplore www.virusresearch.org/download-en

scanner

  • Internet Explorer will open and a professional scanner will start downloading
  • Follow the instruction and use the professional malware removal tool to detect the files of the virus.
  • After performing a full scan you will be asked to register the software. You can do that or perform a manual removal.
  • To perform Manual removal you need to follow the steps below.

STEP 2: Locate the virus start-up point

Simultaneously press the Windows Logo Button and then “R” to open the Run Command

Run_command

Type “taskschd.msc” in the box to open your Task Scheduler

After that, locate and remove the entries of the ransomware as shown below .

remove Critoni

Delete the scheduled task and the file it is pointing at. Please not that the file name is random and yours might be different.

Restart Windows.

STEP 3: Restore Encrypted Files

There are several methods you can use, however nothing is guaranteed.

Method 1 – recover the encrypted files by hand:

You can try to use the built in feature of Windows called System Restore. By default the system restore feature is automatically turned on. Windows creates shadow copy snapshots that contain older copies since the system restore was performed. These snapshots will let us to recover any previous version of your file, although it will not be the latest one, still you can recover some important information. Please note, that Shadow Volume Copies are only available with Windows XP SP2, Vista, Windows 7 and Windows 8.

Method 2 –  partially restore the encrypted files by using Microsoft Office junk files:

Basically you need to show your hidden files. The fastest way to do that is:

  1. Open Folder Options by clicking the Start button .
  2. In the search box type “FOLDER OPTIONS”.
  3. Select View TAB
  4. Under Advanced settings, find Show hidden files and folders and select it and then click OK.

junk files

In the picture above I marked two hidden files. You are interested in every file that looks like ~WRL382.tmp This is actually a Microsoft office junk file that contains the previous version of the Word document itself. The Cryptowall parasite will not encrypt these files. The name of the file will be unknown, but you can recover a lot of lost documents using this method. This can be utilized for Microsoft Word and Microsoft Excel. In addition you can try to match the file sizes in order to figure out what is what and eventually you can restore a slightly older original document. In the picture on the left there is another method you can locate the files in question.search_for_tmp filesAll you have to do is to hit the start button  and type *.tmp. You will be presented a list of all the temp files located in your computer. The next thing is to open them one by one with Microsoft Word/Excel and recover the lost information, by saving it to another place. You can do that, by opening a new instance of MS Word/Excel, trough the file menu select open and then navigate to the location of the TMP file.

Method 3 – Decrypt Encrypted Files

Unfortunately, there is no possibility to decrypt the crypted by CBT Locker files for now, unless you pay the ransom. Please, consider this as the very last option, because you might be funding further criminal activities.

Leave a Comment