Severity scale:  

Remove CTB Locker virus (Removal Instructions) - updated Jul 2019

removal by Jake Doevan - -   Also known as Curve-Tor-Bitcoin Locker, CTB-Locker | Type: Ransomware

CTB Locker virus – ransomware that has been targetting USA, Germany, Italy, and the Netherlands mostly

CTB Locker cyber threatCTB Locker - ransomware that can relate in the loss of various documents and files

Questions about CTB Locker virus

CTB Locker virus (also found under a title of CTB-Locker ransomware) is a crypto-type [1] malware, which started attacking PC users in the middle of July 2014. According to research, this malware strain has been found targetting users in USA, Germany, Italy, and the Netherlands. It is almost identical to Cryptowall virus, Cryptolocker, Cryptorbit, Critroni, etc., so if you have ever heard about any of these parasites, you will know what this ransomware is used for. Basically, it is designed for encrypting specific data files and then making people pay for their decryption. In most of the cases, people who want to recover access to their photos, videos, and other files are asked to pay $300. Besides, CTB-Locker ransomware loads AllFilesAreLocked.bmp, DecryptAllFiles.txt, [seven random letters].html or similar messages/files to report about the data encryption process.

Name CTB Locker virus
Type Ransomware
Danger level Very high. Can cause important data losses
Targets People who reside in Germany, USA, Italy, and the Netherlands
The start This infection first took place in 2014
Similar malware Cryptowall virus, Cryptolocker, Cryptorbit, Critroni
Ransom notes AllFilesAreLocked.bmp, DecryptAllFiles.txt, [seven random letters].html
Malware detection Use Reimage Reimage Cleaner Intego to scan the entire system and detect malicious objects

CTB Locker virus, of course, demands a ransom price that should be paid in a form of Bitcoins [2]. If you think that your PC has already infected by this ransomware virus, the first thing that you should notice is that you cannot reach your files anymore. Also, you may start seeing a warning message explaining you the whole thing and asking to pay a fine.

In this case, you should immediately scan your computer with a reputable anti-spyware program because the sooner you do that, the larger amount of files you could save. Unfortunately, this CTB Locker virus can hardly be noticed before it starts showing its notification that reports about encrypted data and asks to pay a ransom.

That's why you should always have an updated anti-spyware installed on your computer that could easily help you to prevent infections like this one. For that, we highly recommend using Reimage Reimage Cleaner Intego. Also, this is a very beneficial program to search for malware traces when opting for automatical CTB Locker virus removal.

CTB Locker virusCTB Locker virus - ransomware that targets people from the USA, the Netherlands, Germany, and Italy

You need to remove CTB Locker virus immediately after you spot files that are encrypted and do not load properly. This type of threat has been getting more and more advanced within each year and targetting a bigger number of audience. Continue reading this article and find out all updates on this ransom-demanding threat.

Additionally, note that when infected with CTB Locker ransomware, you can lose files with such extensions:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx, etc

The start of 2015: CTB-Locker starts urging for a ransom of 3 BTC 

CTB-Locker was renewed at the beginning of 2015. After this, the virus started asking to pay 3 BTC or about $2774 for giving people an opportunity to recover the connection to their files. Also, it includes “free decryption” service, an extended deadline (96 hours) to pay the fine and an option that allows changing the language of the ransom message.

At the moment of writing, victims can switch from English to Dutch, German and Italian [3]. An interesting thing is that this new version of CTB Locker allows people to select 5 different files for free decryption. This option is called “Test Decryption” and is presumably given to convince users that this service is not invented.

Nevertheless, you should NEVER pay this ransom and support scammers. Just scan your computer with a reliable anti-spyware and remove CTB Locker virus. Then, you should download one of these programs that are given down below to recover the connection to your files.

CTB Locker ransomwareCTB Locker is a ransomware infection that comes delivered through email spam

2016 update: CTB-Locker ransomware starts attacking websites 

It seems that 2016 can be called the year of CTB Locker. According to the latest news, hackers have started using this virus to attack websites. Beware that “CTB Locker for websites” can easily replace your original index page to the affected webpage. Also, it can encrypt all scripts, documents, photos, databases, and other important files, and start displaying its warning on the main page of the affected website.

According to the latest reports, CTB-Locker virus can hold the site for as long as it makes its owner pay a ransom. To unlock it and decrypt encrypted files, a victim of this ransomware has to pay a ransom of $150 or £100. Also, CTB Locker lets its victim see how the decryption process works and provides 2 decryption keys to unlock two random files.

The latest victim is the British Association for Counseling & Psychotherapy website [4]. People can't reach this domain, which now shows a detailed guide explaining how the owner of this site has to pay the fine and get encrypted files back. Of course, money is what scammers are expecting to get. To avoid a need to pay a ransom for hackers, you should create A BACKUP for your OS and the most important data.

RAUM method helps to spread CTB Locker virus

According to the latest news, CTB-Locker has started spreading with the help of a new system called RAUM. This newly-presented strategy is used to infect the most popular torrent files with ransomware, an infamous Dridex, Pony and similar malware that is launched right after the malicious torrent file is installed on the system.

If infected with CTB Locker, you will discover that your files with these extensions are encrypted: .ai, .cdr, .doc, .docx, .eps, .jpg, .xls, .ppt, .psd, .pdf, etc. RAUM [5] is believed to work as a pay-per-install system that tracks torrent users first to find out which torrent files are the most popular ones among them.

Next, it infects these files with malware and uses hacked accounts to upload the malicious content on the system. Security researchers have already discovered that hackers have been using Pirate Bay and Extra Torrent sites. Make sure you stay away from these domains to protect yourself and your files.

CTB Locker malware

The year of 2017: Crooks released a fake version of CTB-Locker named CTB-Faker

CTB-Locker has become a target of amateur hackers who have made a version of CTB-Faker — a program which looks like CTB-Locker but is not the actual infection [6].

A ransom note that this fake ransomware drops on the infected computers looks identical to the original virus version and notifies the victim that his/her computer has been infected with CTB-Locker and they have to pay 50 USD to recover their files.

However, for the data encryption CTB-Faker utilizes WinRAR functionalities, which is an easier and simpler way to achieve file encryption. The targeted files are simply compressed and stored in an archive protected with a password that hackers have selected.

Luckily, experts have already managed to dig up a vulnerability in this virus and disclosed this password — the virus-generated archives can be unlocked using the p4w1q3x5y8z code. 

However, not all imposters can be decontaminated that easily. 2017 can bring programs that are equally dangerous to their malicious counterparts and may corrupt the system just as bad. So, we can only advice you to be careful out there!  

Ransomware infections reach their target via email spam

According to experts from Virusai,[7] ransom-demanding threats are often injected into executables or Word documents that come attached to email messages. Email spam travels throughout the Internet sphere and reaches users frequently. The best way to protect yourself from malicious letters is NOT to open any questionable email received.

Additionally, if you are curious about opening an attachment, you should use an antivirus tool and scan the file/document before launching it. If something malicious is hiding there, you will be warned by your anti-malware and be able to delete the malware-laden content on time before anything bad occurs.

Nevertheless, you should always keep a distance from piracy networks, gambling, online-dating, movie-streaming, game-playing, and adult-themed websites. Note that malicious payload can come injected into hyperlinks, and suspicious-looking banner ads, pop-ups, pop-unders, and coupons.

CTB Locker removal guidelines on Windows system

If you are desperate, and you need a guide that could help you to remove CTB Locker virus from your computer, you are in the right place. If it has already hijacked your system, you should disconnect your computer from the Internet ASAP. Unfortunately, but we cannot give you a CTB Locker decrypter yet because it is just in a development stage. However, you should follow a step-by-step guide given below and finish the elimination of this ransomware.

Moreover, do not try to carry out CTB Locker virus removal process on your own as even more damage might be caused! You might miss some malicious components and the infection might start running malicious processes right after the next computer boot. Note that anti-malware tools are more trustworthy at these tasks as they can complete multiple actions very fast: scan the system, detect malicious software, remove the threats.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove CTB Locker virus, follow these steps:

Remove CTB Locker using Safe Mode with Networking

In case CTB Locker blocks your antivirus and you cannot run the system scan to remove it, please follow the instructions we provide below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CTB Locker

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CTB Locker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CTB Locker using System Restore

Another method which can be used to decontaminate the virus and run the antivirus is presented here:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CTB Locker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that CTB Locker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CTB Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by CTB Locker, you can use several methods to restore them:

Our recommendations on Data Recovery Pro application

To learn how to use Data Recovery Pro and recover your files automatically, check out the guide indicated below:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by CTB Locker ransomware;
  • Restore them.

Useful tips on how to use the Windows Previous Versions feature

Windows Previous Versions feature operation instructions are presented below. However, before you try to recover your files using this technique, make sure that you have enabled System Restore function sometime before the ransomware attack. Otherwise, this data recovery method will not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer usage instructions:

ShadowExplorer can only be used in cases where ransomware does not delete Volume Shadow Copies of the files. In case you are infected with CTB Locker version which keeps these files intact, you may try these instructions:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Currently, cybersecurity experts have been working on the CTB-Locker ransomware decryption tool.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CTB Locker and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages