Cryptolocker Removal, File Decryption and File Recovery

Cryptolocker Removal and file recovery – crypt0l0cker

Computer Emergency recently gave advice on cryptolocker for NBN News.

Cryptolocker removal is relatively easy and fast. There are several major removal programs that will automatically remove cryptolocker for you. The hardest part of this process is file recovery so before we get into things too much:


Without backups, just removing the virus will only allow you to get windows back running correctly but NOT get back your encrypted data.

What is cryptolocker?

Cryptolocker, or crypt0l0cker, is a ransomware trojan that encrypts your data and holds it for ransom.

How does cryptolocker infect my computer?

It usually comes in the form of an email attachment like a PDF,EXE, ZIP file. The email will be written to create panic eg speeding fine, crazy power bill price, or it could be something as simple as a resume for a job application. Once you click on the link/attachement the ransomware starts to work in the background, encrypting your data file by file, deleting the original, until the point that all your files are encrypted.

How do I know if I have cryptolocker?

Here are a few images of messages that you may see if you have been infected. These things change all the time so you might see something different. The concept will be the same though.

Cryptolocker Removal and file recovery

cryptolocker variation 2

cryptolocker variation 1

cryptolocker variation 4

Can I prevent getting Cryptolocker?

Yes! Other than keeping your antivirus up to date there are some great tools to combat cryptolocker style viruses. Bitdefender have a free cryptolocker tool to defend these ransomware attacks.

Cryptolocker Decryption Tools

IMPORTANT! Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files. Any reliable antivirus solution can do this for you.


If you have a new version of Cryptolocker, chances are, the tools wont work on your files. It’s usually only older variations that work. Check out the major antivirus websites for the latest tools.


Need computer help right now?

CTB -Locker

I had another client with an encryption virus this morning. CTB Locker has been around for while but there’s a fresh new variant.

This one came in the form of an email bill from AGL electricity and looks quite authentic. As we have learned in previous blog posts about cryptolocker, the evidence of a scam is right in front of your eyes.

  1. Hovering your mouse over the email address reveals that the email didn’t come from an account.
  2. You would expect a bill to be in a PDF form, not locked away in a zip file.
  3. You arent expecting a bill that high – That’s the shock factor they go for. You would immediately think it was wrong and click on the link to find their mistake.

Removal of CTB Locker

Getting rid of the virus is relatively easy. It can be done with any of the major virus removal tools.

I really love the guys at Sophos who have a company called Surfright who make HitmanPro. This is all owned by my favorite antivirus company, Sophos.

This is an amazing program that gets ride of most of the problems I come across, including CTB-Locker and cryptolocker.

Decryption of files

To decrypt files affected by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury,Trojan-Ransom.Win32.Crybola or Trojan-Ransom.Win32.Cryakl, use the RannohDecryptor utility from Kaspersky. This has been known to be very effective but at some point you may need to find a copy of an original file plus an encrypted version so it can compare the two and figure out what the encryption key is. Places to look for original, unencrypted files include email attachments, Dropbox, USB sticks, external hard drives etc.

You can download the RannohDecryptor program from the Kaspersky website.

Recover your files from a backup

After you have removed the virus, you can restore your files from your back up. Simply follow the restore process from your backup program.

Can you help remove my ransomware?

Yes, we can remove the ransomware and assist in the recovery of your encrypted files.

Ransomware is your worst nightmare! Several of my clients were hit with this, some more than once, over the last 12 months. I’ve written a couple of blog posts about it already and here I am again to let you know that this is going to get worse. All the major internet security companies are flagging 2016 as the year of ransomware.

What is ransomware?

It’s when a hacker steals your information or takes control of your computer and holds data for ransom. Usually it starts at around $500 and increases the longer you don’t pay. It’s a very, very nasty piece of software that can literally destroy your world (your computer files) in a flash.

How does ransomware work?

The files themselves are protected with 256-bit AES encryption. The keys generated by this first encryption process are then protected with 2048-bit RSA encryption, and the malware author keeps the private key.

I own a Mac. Am I safe?

Mac’s are less likely to be infected with malware & viruses but IT DOES HAPPEN! I’ve fixed several in 2015. The experts expect ransomware to start targeting Mac OSX in 2016 due to its growing popularity.

10 things that will help protect you from ransomware?

Firstly, take the common sense approach.

  1. BACK UP YOUR DATA – Don’t think “It will never happen to me” because it’s only a matter of time. Be it ransomware or a crashed hard drive.
  2. Once you have finished backing up your data, remove the device you have backed it up on. If it stays attached the ransomware can encrypt it.
  3. Keep your antivirus software up to date
  4. Make sure your computer updates are always up to date. Windows and programs. Check out Patch My PC for a cool free tool to ensure your programs are up to date.
  5. Don’t put anything online that you don’t want stolen because it can be used against you
  6. Show hidden file-extensions – Ransomware often hides in normal looking files. Eg you might see resume.pdf but it may actually be rasume.pdf.exe and install ransomware
  7. Filter EXEs in email – if you are able, deny emails sent with “.EXE” files.
  8. When you receive an email with a link or a button to click check who it was sent from. You can hover over a link and see if you recognise the url that pops up or appears in the bottom corner of your screen. For example, this one says but if you hover over it you will see something else. Don’t worry this one is OK to click on, but many are not even if they appear to come from someone you know.
  9. Disable RDP –  Remote Desktop Protocol. Cryptolocker is known to exploit this.
  10. Disconnect from WiFi or unplug from the network immediately if you suspect anything is wrong. If you act VERY quickly you might be able to stop communication with the server before it finish encrypting your files.

Cryptolocker is becoming a huge problem

I had another call out for Cryptolocker today and this person had been caught out earlier this year so I’m back to give you all another reminder!

For those of you who are unfamiliar with Cryptolocker: it’s a very nasty piece of software that encrypts all the files on your computer and holds them for ransom. There is no way to decrypt these files unless you pay them or unless you have a back up of your computer that you can restore. Keeping in mind that if the back up drive is connected to the computer at the time of encryption, that too will also be encrypted!

Here’s what today’s email looked like.

1. Note the From email address is not an address.
2. Note the odd use of English in some sections.
3. Before clicking on the link, just hover your mouse over it to see what the link address is. This one had a very random string of code. Again, it should be linked to an address with in it.



BAYCORP DEBT COLLECTION – Letters and phone calls.

We’ve been getting random letters & phone calls from Baycorp re: Debt Collection. The letterhead looks dodgy and the phone calls are just as dodgy. They ask you to contact them regarding an urgent matter. Once you contact them, they ask you to pay outstanding amounts for random bills.

ATO Tax Refund Phone Calls

A pretty standard one. A caller tells you you either have a refund or owe them. You are asked to provide your account details. SCAM.


Look at the from email address. If it’s not recognisable, contact the company through their website for confirmation that the email is real.
Hover your mouse over links before you press them to see what the link address is. If it’s not recognisable, again, contact the company for confirmation directly through their website or known email address.

Phone Calls

When we call a business, we are all used to confirming our details with them to prove who we are.
When someone calls us, we must make them prove who they are by confirming our details: an account number, tax file number etc.

If you think you’ve been scammed on your computer, turn off your computer (to prevent any further damage to your data) and contact Computer Emergency immediately on 0414 899 254.

For more information, check Scamwatch which is run by the Australian Competition and Consumer Commission (ACCC). It provides information to consumers and small businesses about how to recognise, avoid and report scams. You can sign up to their newsletter to keep up to date with the latest scams. We’ll always keep you up to date too!

AFP Cryptolocker Email sample
AFP Cryptolocker Email sample

Cryptolocker in 2015 and 2016

Over the last few months I have been getting more call outs for a very nasty piece of software (ransomware) called Cryptolocker.

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid aka they hold your files for ransom. Usually hundreds of dollars, sometimes thousands!

It arrives in your inbox as a simple email that looks quite legitimate. The two variations I’ve been dealing with are from Australia Post & the Australian Federal Police.

A few things to note:

Alarm bell #1. The AFP issuing a driving fine?
Alarm bell #2. How would the AFP get your email address?
Alarm bell #3. If you hover your mouse cursor over the link, you would expect to see a government web address that looks like this :,  but in this case, you see a random web address.

Most people delete the email on the spot but there are an alarming number of people who panic and follow the link.

What happens if you click the link?

Once the page loads, the victim is presented with a captcha challenge, and when it is entered they will download a zip file containing an executable file which is a variant known as the cryptolocker virus. Game over!

The Cryptolocker virus will then encrypt your files, all of your files, and display ransom message with instructions on how to make payment to be able to recover the encrypted data.

Can I prevent getting Cryptolocker?

Yes! Other than keeping your antivirus up to date there are some great tools to combat cryptolocker style viruses. Bitdefender have a free cryptolocker tool to defend these ransomware attacks.

How to get your data back

After removing the cryptolocker virus, the next step is to recover your data.

Option 1 – Restore data from your backup 

If you backup regularly, you’ll be thanking your lucky stars. It’s as simple as restoring your backup data. Replace the encrypted files with your backup files.

After you restore you files we recommend backing up again and reinstalling your operating system just to be sure there are no back doors left open.

Option 2 – Check for a shadow copy of your files

Right click on the file, go to properties, go to Previous Versions and see if there’s a file to restore. (these are usually deleted by the trojan but check anyway)

Option 3 – Resign yourself to the fact that you have lost your data

Let’s be clear. These files have stronger encryption than internet banking and, at present, there is no way to decrypt them. Back it up (in case someone discovers how to decrypt them in future) and reformat your computer.

Option 4 – NOT RECOMMENDED – Pay the ransom

Computer Emergency does not recommend paying the ransom. There are no guarantees that you will ever see you money or data again.

We have had a couple of clients pay the ransom. Fortunately they all worked but still ended up costing a lot of time and money.

Here are the steps that were followed.

Step 1: You are asked to install TOR Browser (it’s like a private/secure browser)

Step 2: and go to a specific web address.

Step 3: Payment instructions come up on the screen. The payment is made in Bitcoin (kind of like black market money trading). To do this, select a bitcoin trader from the list, set up a payment (you enter how much you will be depositing and who it’s going to be sent to – an account is provided in your ransom letter) You then get 2 hours to make the deposit. My client today had no other option but to pay. We made a deposit into a Commonwealth Bank account owned by the Bitcoin trader (about $750). You receive an email notification from the bitcoin trader within 10 minutes of depositing the money with a notification that it should be transferred to the “bad guys” within an hour.

Step 4: Back in the Tor browser there is a button that allows you to refresh the page and check that the payment has cleared. Once cleared, it automatically runs a program that shows a decrypt button. Click that and it starts to run. There is a notification that it can take up to 4 hours.

Step 5: A message is displayed letting you know that the files have been decrypted and a restart is necessary. Your files should now be back to normal.

Step 6: Time to do virus and malware scans. Best to get an IT professional to do this. Alternatively, the safer option is to back up your data and do a fresh install of your operating system.

Step 7: BACK UP YOUR DATA! It goes without saying that you should be backing up your important data as a regular routine. Photos, tax documents etc etc. Do you have a disaster recovery plan? What happens if there is a fire? Do you have an off site/cloud back up?

Do you need help with cryptolocker?

This is a very nasty piece of software. If you decide to pay the ransom, there is no guarantee that the recovery process will work. There are a few things that we can do to try and get some of your data back. Eg. Dropbox files will be encrypted but dropbox has a disaster recovery option that allows you to restore older versions of files. You may also have a shadow copy of your files on your drive. The best thing you can do is turn your computer off immediately and call us. (there’s a chance the software may not have activated if you turn it off immediately) We can help you with options, the clean up process or taking you through the payment process should it get to that.

Please take care and share this with your family and friends. Hopefully it will save someone from suffering as some of my clients have.

Call Computer Emergency to remove cryptolocker and restore your backup files!

Call Now for Managed IT Services Brisbane Book online for computer Repairs Brisbane