How to Remove CryptoLocker

by News Editor on May 22nd, 2014 in Security Tips.

CryptoLocker is one of ransomware that blocks access to infected computers and forces you to pay money for decryption and recovering of your files. The approach of Ransomware is simple. In most cases it gets into a system through fake emails camouflaged as an email attachment and, after opened, it proceeds to encrypt the files on your computer. Once the process completed the virus hides itself and tells that your data has been entrapped and in order to release it you will need to buy a key. But that does not mean that after you pay the required amount, your files will be decrypted and restored for you. In case you enter wrong code, the CryptoLocker will twice reduce the time for getting the private key. CryptoLocker's encryption is much more secure and is currently not possible to crack.

An alert appears on the screen stating you have 96 or 72 hours to pay $300 or lose all your encrypted personal files forever. A countdown is already ticking on your screen. Usually, it offers to pay through one of third-party payment methods like MoneyPak (USA only), Ukash, cashU and Bitcoin which make tracing the attacker much harder or impossible. This makes these transactions anonymous and unfortunately impossible to trace.

 
Once CryptoLocker infected your PC, it will save itself as a random named filename to the root of the %AppData% or %LocalAppData% path. It will then create one of the following startup entries in the registry to start CryptoLocker when you login:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker_<version_number>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker_<version_number"

Behavior

This Trojan is very aggressive and protects itself from deleting. CryptoLocker infection creates two processes of itself. If you terminate only one, the other process will automatically launch the second one again. Please be advised to open Task Manager or Process Explorer and right click on the first malicious process and select End Process Tree. This will terminate both at the same time. CryptoLocker also hides and protects the infection files from deleting.

 

 




















Unfortunately, even if you remove the virus itself it won't help, and shutting down the server that holds the key will only result in the loss of the decryption tool, plus this is difficult because the servers switch location on a weekly basis. That is why you have only two decisions of either paying the ransom or losing the data, but like in any hostage situation you can never guarantee that the criminals will honor their terms.

We do not recommend paying anyone in such cases, it will only encourage the cheaters to create new viruses. It is always better to prevent infection instead of performing any cleaning or removing procedures on your PC. It's especially relevant in case of CryptoLocker infection

In order to avoid of becoming infected, we recommend following the rules below:

•    Perform backups of important files, keeping the backups stored offline.
•    Always keep your operating system and software up-to-date
•    Do not follow untrusted web links in email messages or submit any information to webpages in links. Never open email attachments from unknown persons.
•    Perform regular backups of all systems to limit the impact of data and/or system loss
•    It is always recommended keep your Antivirus software up to date, and perform weekly full scans.  We also advise you to do a custom AV scan of any application and file downloaded from the internet before you proceed with its downloading/installation.
•    Ensure the email scanning feature of your antivirus software is configured and enabled.

If you do not have an antivirus, click here to download Ad-Aware Free Antivirus+.” It detects Cryptolocker infection as as Trojan.GenericKD.1430364 which means it can protect your PC from a trojan if it is installed before the infection occurs.

In order to get rid of a virus you can do a system restore but unfortunately it will not help with encryption of your personal data.



The only recommended solution is to restore encrypted files from a backup. That’s why is very important to back your files regularly. If you see the message demanding payment it means CryptoLocker has already encrypted your files. Unfortunately, by this time it's too late to recover your files if they are not backed up.