Decrypt CTB Locker virus: how to remove CTB Locker

The present security report includes a comprehensive analysis of the CTB Locker ransomware virus, removal instructions and file decryption methods.

CTB Locker represents a new generation of computer viruses that the IT security industry has thus far discovered no reliable fix for, the only efficient rescue being in the realm of prevention. It is a ransomware program, which implies that the victim’s personal files are affected for the purpose of further extortion. This particular sample inherited the worst features of its predecessors, CryptoLocker and CryptoWall, and additionally got enhanced malicious capabilities intended to circumvent a number of previously applicable countermeasure vectors and make it barely feasible for the compromised users to restore the original files.

The authors of this ransomware rely on exploit kits for proliferation. PDF software and Java vulnerabilities in a computer system are the main factors assisting the infection in terms of spreading. Furthermore, this peculiarity of the virus makes contamination inconspicuous therefore, as a rule, the user only finds out that the bug is inside when the wallpaper gets changed to an image whose screenshot is provided below. The image is stored as AllFilesAreLocked file with .bmp extension under the My Documents directory on the machine.

Warning screen generated by CTB Locker ransomware

What CTB Locker does is it encrypts the victim’s personal files. These are all popular file formats detected by the ransomware as it scans all drives on the system, including removable media if inserted. On the outside, it appears as though the virus converted the spotted data objects to a different format with some clumsy-looking extension, but in fact it’s a more complex story than that. The original versions of the files get erased, and their copies get encrypted with elliptic curve cryptography. The decryption instruments – the key and decryptor tool – are unique to each infected computer, and they are stored on a remote server which can only be accessed via Tor. In other words, the user needs to install Tor Browser Bundle in order to proceed with decryption, which indicates that the bad guys care about their anonymity.

The ransom must be submitted within 96 hours (previous variants provided 72 hours). The amount is 0.2 Bitcoin. Ironically, the malware has a built-in service which enables converting other currencies to BTC. Also, to prove that the scheme works, CTB Locker offers free test decryption of 5 files that it picks at random. Well, it looks like cyber racketeering with elements of indulgence is in vogue these days.

Test decryption offer

CTB Locker itself isn’t particularly hard to get rid of. What’s problematic is retrieving the personal files back – the known decryption methods are generally helpless here as the ransomware uses a very strong cryptographic algorithm, so brute-forcing is not an option. That being said, there are techniques that are worth trying for restoring the most important files without paying the ransom. Before you proceed with the instructions below, be advised that CTB Locker removal from the computer will most likely make it no longer possible to pay the criminals for decryption even if you end up deciding to do so later on. In the meanwhile, security labs around the globe keep working hard to come up with effective countermeasures for ransomware of this sort.

CTB Locker ransomware removal with automatic cleanup tool

Note: removing CTB Locker is not that hard in itself. In fact, the virus may even self-destruct after the files have been encrypted, leaving the victim face-to-face with the upsetting ransom payment options. Anyway, the ransomware should be removed from the computer as it may get you infected with other cyber threats. An optimal cleaning workflow is to leverage a security application which will identify all potentially malicious software on your computer and handle it the right way. This approach ensures thoroughness of the removal and system remediation, and allows avoiding unintended damage that might occur as a result of manual malware deletion.

1. Download and install CTB Locker removal software. Launch it and click the Start New Scan button. Wait for the application to check your computer for threats

For Windows

Download CTB Locker remover

For Windows

2. When the app is done scanning your system, it will come up with an extensive list of detected objects. Click the Fix Threats option to have the utility completely remove this ransomware and affiliated infections found on your PC.

Alternative techniques to recover encrypted files

Given that CTB Locker is an extremely complex and insidious malware, there is no guarantee that the files can be retrieved without submitting the Bitcoin ransom payment. There are some ways, however, that might be of help, even though they rely on a number of variables. Be sure to try the methods below.

1. Data backups
If you have been backing up your information, to the cloud for instance, you’re a lucky person. Just get the data restored using the respective features. It’s too bad not that many people can boast such prudence. All in all, this is the best case scenario.

2. Shadow Volume Copies
Even though CTB Locker tends to erase all Shadow Volume Copies of files on the compromised workstation, it might not cope with this task. If that’s the case, chances are you can recover your information. Note that this approach is applicable only if you had System Restore activated prior to the infection. Also, the files you can restore this way may not necessarily be the latest versions. Make sure you try one of the following methods though:

  • Take advantage of Previous Versions
    If you right-click a random file on your PC and select Properties in the drop-down menu, you will see the Previous Versions tab at the top of the window. Once you hit that tab, the operating system will display a list of file versions corresponding to the restore points that were made. Select the most recent one and click Copy to restore the file to a new location, or pick Restore to recover it to the directory it was originally in.
    Previous Versions
  • Use ShadowExplorer app
    The routine above can be accomplished with a tool designed specifically to restore Shadow Volume Copies for files and folders. To move on, download ShadowExplorer to your computer, install and launch it. Using the features in the top left-hand part of the GUI, select the drive name and the date. Rick-click on the file or folder you would like to be restored and choose Export.

3. File recovery tools
As it has been mentioned in the ransomware profile above, it deletes the original data objects, encrypting their copies instead. Since Windows still stores these eliminated items, which is common knowledge, why not try to recover them using software that was created for this purpose? Some of the applications capable of doing this are Data Recovery Pro. Run the tool and see if it can pull your removed data out.

Double-checking never hurts

Last but not least, a quick reminder: the removal of CTB Locker from a compromised system doesn’t mean the files will get decrypted. To try to recover your data, stick to the methods above. That notwithstanding, since the ransomware proper is dangerous it must be exterminated for good. To make sure CTB Locker has been removed, consider running an additional security scan as a completion of the cleanup procedure.

For Windows

Download and install CTB Locker removal software

For Windows

22 Responses to Decrypt CTB Locker virus: how to remove CTB Locker

  1. amr hassan says:

    Thanks god i restored many pics by r-studio

  2. says:

    need your help pleas

    • admin says:

      Please review the instructions in the tutorial above and follow them step by step.
      Thanks for your comment.

  3. Morten Dvergsnes says:


    I only got one question that I hope to get answered.
    I got rid of this Locker shit, but my back-up i a little old. I wonder if there is a chance to decrypt the files sometimes in the future maby? In case, are we talking about weeks, months or years?

    Thanks for reply!

  4. davide says:

    I have a problem , how to decrypt my files infected with ctb-loker most important for my life


  5. Awadhesh says:

    The CTB-LOCKER Virus has encrypted my complete files and folders kindly help me to decrypt and get back my files and folders back as it is very neccessary to me please.

  6. Dewald Munnik says:

    No one has found a cure for this (wHY)Surely we should rather get a
    decrypter or something soon,Kasperski has developed some forms of it but none are frikkin working,system restore doesn’t,shadow doesn’t,previous doesn’t
    only on some machines so please people develop a decrypter and help the people

  7. admin says:

    Unfortunately there is no tool as of now that decrypts the data encrypted by CTB Locker. Consider trying alternate workarounds described in this article.

  8. kiran says:




    • admin says:


      Formatting the C drive, unfortunately, is not going to make the files accessible. CTB Locker encrypts data stored on all computer drives, which means you should either somehow get a decryption key or try alternate methods to recover the files. Read the post for more details. Thanks for your feedback!

  9. FRAZ says:

    hi say to all please help me i install a stupid virous CTB Locker how to remove it please help me…

    • admin says:


      Consider sticking to the instructions provided in the tutorial. Note that CTB Locker removal alone will not recover your files, so it’s recommended to try the restoration techniques listed.

  10. Michelle says:

    How can I remove the ctb-locker from my computer. Please help! Thank you

    • admin says:


      Be advised removing this virus won’t get your data recovered, so follow all steps listed in the article to remediate the damage from CTB Locker ransomware.

  11. Max Payne says:

    I’ll contribute my little bit. I have just had my first encounter with the Virus. What I found to work to restore most of my files is to delete the extension that the virus puts on the files which will then make it recognizable by windows, then you right click>properties>previous version and selct a copy from a suitable date.
    I advise that you disable or delete the virs excecutable before doing so.

  12. Steph says:

    Thank you!!!!

  13. John says:

    I have no personal files on my computer use it mainly for games should I even be concerned with this

    • admin says:


      You’re probably better off removing the virus if it’s on board. Even if gaming-related files remain intact, CTB Locker will display spooky alerts and slow your system down.

  14. Mike says:

    I cant believe it’s not on the news and being combatted by the biggest software companys in the world who do these people think they are the pictures being comprised on my computer have been collected over my whole life and I would kill these bastards if I knew where they were

  15. Trish says:

    The encryption notice was on my screen on Monday AM. Instructions were exactly as noted in your article. All my family photos and files were taken. We followed the instructions and went to a rough part of town to purchase the bitcoins and pay the ransom. They promised to provide the decryption file that would release my files and it failed to work. These people even have a “help e-mail address” to contact them if it doesn’t work. They promised a 2 hour response time. We’ve never heard from anyone! Our IT guy said while they are thieves, they typically honor the release when the ransom is paid. But, a thief is a thief! There is no honor and they are no better than the lowest creature on earth! Anyone who would take pleasure in stealing family pictures from the elderly is worthless. Wish I would not have paid the ransom and told them where to go! If everyone would say this, they would fold their operation! It is the fear and threat of a time frame that makes us react without thinking it all through and realizing that the actions are just like a kidnapping. Seldom is a kidnap victim released.

Leave a Reply

Your email address will not be published. Required fields are marked *