CryptoLocker Ransomware Removal, Your Personal Files Are Encrypted

According to a report by security researchers, a form of detrimental ransomware which is called CryptoLocker has now infected about 250,000 PCs significantly. The first version of CryptoLocker ransomware surfaces in September 2013, which originally propagates through legitimate email attachment such as ZIP files or sponsored links. Later with updated attributes, CryptoLocker virus could be delivered by malicious websites or packaged with some pirated or copyright applications. When users click on such kind of malign resources, the CryptoLocker ransomware could be installed and activated on compromised machine forcibly. Different from common ransomware, the CryptoLocker virus will not only simply restrict the access to a victom’s computer but also encrypt certain types of files stored on local and mounted network drives with the aid of RSA public-key cryptography.

To unlock target computer and obtain the unique private key to decrypt user’s data, CryptoLocker then display a pop-up message, which demands victims to pay 300USD/EUR or 2 Bitcoins through a pre-paid voucher. Up to now, the sum of ransom is continually increasing according to the excogitation of cyber criminals. The new current price of Bitcoins has been raised up to 10 Bitcoins, which is about $2,100 USD. For the purpose of threatening PC users, CryptoLocker ransomware also claims that “Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server”. However, no matter how CryptoLocker intimidates victims, CryptoLocker certainly should be removed from computer to avoid unwanted data loss or further damage. Once being installed on computer, the CryptoLocker ransomware generally save itself as a random named filename to the root of the %AppData% or %LocalAppData% path.

By inserting its malicious registry files on kernel system, the CryptoLocker virus could be loaded up automatically whenever Windows starts, by technically modifying the work of Windows boot sector. CryptoLocker ransomware then will attempt to infect and delete Volume Shadow Copy Service (VSS), which is implemented by users to manually or automatically restore corrupted or encrypted files. Supposed CryptoLocker ransomware cannot be terminated from computer timely, it would even exploit found system vulnerabilities to drop and install additional malware to do further harm on affected computer, which may contain Trojan, worm, browser hijack virus or fake antivirus application. The extra malware could even open ports of system to third party, which allowing hackers to access compromised machine freely. Therefore, CryptoLocker virus should be removed from PCs once being noticed of its existence.

Symptoms of CryptoLocker Ransomware

• Encrypts user sensitive documents, multimedia objects or any other files containing important information. Leaves only encrypted data, usually deleting the original files.
• Deletes user documents, multimedia objects or any other files containing important information.
• Corrupts the entire system or installed software by deleting essential system components or important parts of installed software.
• Steals login names, passwords, valuable personal documents, identity data and other user sensitive information.
• Sends all gathered data to a predefined e-mail address, uploads it to a predetermined FTP server or transfers it through a background Internet connection to a remote host.
• Freezes the system making it complete unusable.

Why Antivirus Cannot Help?

In order to remove CryptoLocker virus, you may have tried lots of antivirus that you trust, but failed. Why? That’s because the security removal tools are not human beings and they cannot catch all the new things. They need to update their functions from time to time to catch the newly released viruses. However, it seems that the infections’ creators know about this and they design all the related files of the viruses in random names. What’s worse, the pests can mutate at a fast speed. Thus, your antivirus cannot remove CryptoLocker completely. The most effective way to get rid of CryptoLocker ransomware is the manual removal. Here is a guide for you.
1. Safe Mode with Networking

For Windows 7, XP & Vista

Before performing the manual removal of CryptoLocker virus, reboot your computer into "safe mode with networking" by constantly tapping F8 key before Windows is launched.

For Windows 8

a. Start and login the infected computer until you see the desktop.
b. Press the Ctrl+ Alt+ Del combination key, the Switch User interface will pop-up.
c. Always hold down the “Shift” key on the keyboard and at the same tine click on “Shut down” button once on the bottom right corner of the page.
d. You will get three options there: Sleep, Shut down and Restart. Click on Restart option.
e. The next window says ‘Choose an Option’ screen,” then you need select “Troubleshoot.”
f. On the troubleshoot page click on ‘Advanced Options’. In the following window choose ‘startup settings
g. Choose ‘restart,’ and then wait for a minute. Windows will automatically display Safe mode options. At last press F5/5 key to highlight Safe Mode with Networking option, hit enter key as well. Later after that, Windows 8 Operating system will be booted up with safe mode with networking.

2. Show hidden files of CryptoLocker virus

• Open Folder Options: clicking the Start button> Control Panel> Appearance and Personalization, and then clicking Folder Options.   After that, click the View tab.
• Under Advanced settings, click Show hidden files and folders, uncheck Hide protected operating system files (Recommended) and then click OK.

3. Open your Task Manger by pressing Ctrl+Alt+Delete key and end the processes of CryptoLocker virus.

4. Open your Registry Editor and then find out the registry entries of CryptoLocker virus to remove them (note: new registry entries are still made every month so far):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit”={rnd}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun”"

5. Open your Registry Editor and then find out the registry entries of CryptoLocker virus to remove them (note: new registry entries are still made every month so far):

%AppData%\NPSWF32.dll
%AppData%\Protector-.exe
%AllUsersProfile%\ApplicationData\.exe(rnd)

Tips for Preventing CryptoLocker Virus

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.

Manual removal of CryptoLocker ransomware is complex and risky task, as it refers to key parts of computer system, and is recommended only for advanced users. If you haven’t sufficient expertise on doing that, it's recommended to ask help from a VilmaTech 24/7 Online Computer Expert to manually remove it for you. That would make a hit.