What is CTB-Locker?
CTB-Locker, also known as Critroni, is a hazardous ransomware application that can affect all Windows systems and encrypt your files. You may have gotten infected by this malware while visiting corrupted websites. The ransomware is installed by a Trojan. It is very good at staying hidden as the program creates a file with random digits and runs a process that is called Adobe Flash Player 10.3 r183. When the computer user sees this process he or she may just think that they have downloaded and installed a program used to watch online videos, however, that is not the case. CTB-Locker presents you with a notification that states your files have been encrypted and that you need to pay the cyber criminals in order restore access to those files. We do not recommend following these instructions. Instead, you should terminate CTB-Locker yourself.
How does CTB-Locker work?
As soon as CTB-Locker enters your system, it starts encrypting your files. It may affect you documents, photos, audio and other types of files. All encrypted files have their extension changed to CTB or CTB2. The ransomware then creates a file that contains the instructions from the cyber criminals. According to these instructions, the computer user must pay the so-called ransom in Bitcoins using an online money transfer system. Otherwise, the files are lost forever. The message also claims that the computer user has only 72 hours to complete the transaction.
The encryption method used by CTB-Locker is unique to this infection and is called elliptical curve cryptography. Once the malware is done encrypting your files, it also disables explorer.exe which is a file that makes it possible to interact with the interface of your PC. Your desktop background is also changed to a file stored in %MyDocuments%\AllFilesAreLocked<userid>.bmp that also contains the instructions of how to make the payment. This, however, is a temporary symptom. As soon as you restart your computer, it goes back to normal. However, every time that you do, the ransomware will copy itself under a new name in the %Temp% folder and also create a new task scheduler job that launches on login. That is why you may find a number of copies of the same file under different names.
You can see the full list of the encrypted files in %MyDocuments%\<random>.html file. Unfortunately, unless you have a back up, you may not be able to regain access to them. If your files are not backed up, you may try using a file recovery software like R-Studio or Photorec which can help you restore some of your files. Paying the cyber criminals for the decryption key is the last resort and we would recommend doing so as it is rather doubtful that they will keep their promise and present you with it. What you should do now is eliminate CTB-Locker from your computer.
How to remove CTB-Locker?
In order to remove CTB-Locker manually you have to delete all executable files from the %Temp% folder and clean the hidden job in the Task Scheduler. However, we do no recommend doing so if you do not have advanced computer knowledge. Which is why we suggest that after you restart your PC, you download and install a reliable anti-malware utility that will help you get rid of CTB-Locker and keep your system safe in the future. It will scan your computer, detect the threat and remove CTB-Locker completely. As you can see, it is very important to have a powerful malware prevention and removal tool installed on your PC so that you can surf the Web safely and be sure that your system and your personal data is protected at all times.