Severity scale:  
  (99/100)

Remove CTB Locker virus (Removal Instructions) - updated Jul 2019

removal by Jake Doevan - -   Also known as Curve-Tor-Bitcoin Locker, CTB-Locker | Type: Ransomware

CTB Locker virus – ransomware that has been targetting USA, Germany, Italy, and the Netherlands mostly

CTB Locker cyber threat
CTB Locker - ransomware that can relate in the loss of various documents and files

Questions about CTB Locker virus

CTB Locker virus (also found under a title of CTB-Locker ransomware) is a crypto-type [1] malware, which started attacking PC users in the middle of July 2014. According to research, this malware strain has been found targetting users in USA, Germany, Italy, and the Netherlands. It is almost identical to Cryptowall virus, Cryptolocker, Cryptorbit, Critroni, etc., so if you have ever heard about any of these parasites, you will know what this ransomware is used for. Basically, it is designed for encrypting specific data files and then making people pay for their decryption. In most of the cases, people who want to recover access to their photos, videos, and other files are asked to pay $300. Besides, CTB-Locker ransomware loads AllFilesAreLocked.bmp, DecryptAllFiles.txt, [seven random letters].html or similar messages/files to report about the data encryption process.

Name CTB Locker virus
Type Ransomware
Danger level Very high. Can cause important data losses
Targets People who reside in Germany, USA, Italy, and the Netherlands
The start This infection first took place in 2014
Similar malware Cryptowall virus, Cryptolocker, Cryptorbit, Critroni
Ransom notes AllFilesAreLocked.bmp, DecryptAllFiles.txt, [seven random letters].html
Malware detection Use Reimage to scan the entire system and detect malicious objects

CTB Locker virus, of course, demands a ransom price that should be paid in a form of Bitcoins [2]. If you think that your PC has already infected by this ransomware virus, the first thing that you should notice is that you cannot reach your files anymore. Also, you may start seeing a warning message explaining you the whole thing and asking to pay a fine.

In this case, you should immediately scan your computer with a reputable anti-spyware program because the sooner you do that, the larger amount of files you could save. Unfortunately, this CTB Locker virus can hardly be noticed before it starts showing its notification that reports about encrypted data and asks to pay a ransom.

That's why you should always have an updated anti-spyware installed on your computer that could easily help you to prevent infections like this one. For that, we highly recommend using Reimage. Also, this is a very beneficial program to search for malware traces when opting for automatical CTB Locker virus removal.

CTB Locker virus
CTB Locker virus - ransomware that targets people from the USA, the Netherlands, Germany, and Italy

You need to remove CTB Locker virus immediately after you spot files that are encrypted and do not load properly. This type of threat has been getting more and more advanced within each year and targetting a bigger number of audience. Continue reading this article and find out all updates on this ransom-demanding threat.

Additionally, note that when infected with CTB Locker ransomware, you can lose files with such extensions:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx, etc

The start of 2015: CTB-Locker starts urging for a ransom of 3 BTC 

CTB-Locker was renewed at the beginning of 2015. After this, the virus started asking to pay 3 BTC or about $2774 for giving people an opportunity to recover the connection to their files. Also, it includes “free decryption” service, an extended deadline (96 hours) to pay the fine and an option that allows changing the language of the ransom message.

At the moment of writing, victims can switch from English to Dutch, German and Italian [3]. An interesting thing is that this new version of CTB Locker allows people to select 5 different files for free decryption. This option is called “Test Decryption” and is presumably given to convince users that this service is not invented.

Nevertheless, you should NEVER pay this ransom and support scammers. Just scan your computer with a reliable anti-spyware and remove CTB Locker virus. Then, you should download one of these programs that are given down below to recover the connection to your files.

CTB Locker ransomware
CTB Locker is a ransomware infection that comes delivered through email spam

2016 update: CTB-Locker ransomware starts attacking websites 

It seems that 2016 can be called the year of CTB Locker. According to the latest news, hackers have started using this virus to attack websites. Beware that “CTB Locker for websites” can easily replace your original index page to the affected webpage. Also, it can encrypt all scripts, documents, photos, databases, and other important files, and start displaying its warning on the main page of the affected website.

According to the latest reports, CTB-Locker virus can hold the site for as long as it makes its owner pay a ransom. To unlock it and decrypt encrypted files, a victim of this ransomware has to pay a ransom of $150 or £100. Also, CTB Locker lets its victim see how the decryption process works and provides 2 decryption keys to unlock two random files.

The latest victim is the British Association for Counseling & Psychotherapy website [4]. People can't reach this domain, which now shows a detailed guide explaining how the owner of this site has to pay the fine and get encrypted files back. Of course, money is what scammers are expecting to get. To avoid a need to pay a ransom for hackers, you should create A BACKUP for your OS and the most important data.

RAUM method helps to spread CTB Locker virus

According to the latest news, CTB-Locker has started spreading with the help of a new system called RAUM. This newly-presented strategy is used to infect the most popular torrent files with ransomware, an infamous Dridex, Pony and similar malware that is launched right after the malicious torrent file is installed on the system.

If infected with CTB Locker, you will discover that your files with these extensions are encrypted: .ai, .cdr, .doc, .docx, .eps, .jpg, .xls, .ppt, .psd, .pdf, etc. RAUM [5] is believed to work as a pay-per-install system that tracks torrent users first to find out which torrent files are the most popular ones among them.

Next, it infects these files with malware and uses hacked accounts to upload the malicious content on the system. Security researchers have already discovered that hackers have been using Pirate Bay and Extra Torrent sites. Make sure you stay away from these domains to protect yourself and your files.

CTB Locker malware

The year of 2017: Crooks released a fake version of CTB-Locker named CTB-Faker

CTB-Locker has become a target of amateur hackers who have made a version of CTB-Faker — a program which looks like CTB-Locker but is not the actual infection [6].

A ransom note that this fake ransomware drops on the infected computers looks identical to the original virus version and notifies the victim that his/her computer has been infected with CTB-Locker and they have to pay 50 USD to recover their files.

However, for the data encryption CTB-Faker utilizes WinRAR functionalities, which is an easier and simpler way to achieve file encryption. The targeted files are simply compressed and stored in an archive protected with a password that hackers have selected.

Luckily, experts have already managed to dig up a vulnerability in this virus and disclosed this password — the virus-generated archives can be unlocked using the p4w1q3x5y8z code. 

However, not all imposters can be decontaminated that easily. 2017 can bring programs that are equally dangerous to their malicious counterparts and may corrupt the system just as bad. So, we can only advice you to be careful out there!  

Ransomware infections reach their target via email spam

According to experts from Virusai,[7] ransom-demanding threats are often injected into executables or Word documents that come attached to email messages. Email spam travels throughout the Internet sphere and reaches users frequently. The best way to protect yourself from malicious letters is NOT to open any questionable email received.

Additionally, if you are curious about opening an attachment, you should use an antivirus tool and scan the file/document before launching it. If something malicious is hiding there, you will be warned by your anti-malware and be able to delete the malware-laden content on time before anything bad occurs.

Nevertheless, you should always keep a distance from piracy networks, gambling, online-dating, movie-streaming, game-playing, and adult-themed websites. Note that malicious payload can come injected into hyperlinks, and suspicious-looking banner ads, pop-ups, pop-unders, and coupons.

CTB Locker removal guidelines on Windows system

If you are desperate, and you need a guide that could help you to remove CTB Locker virus from your computer, you are in the right place. If it has already hijacked your system, you should disconnect your computer from the Internet ASAP. Unfortunately, but we cannot give you a CTB Locker decrypter yet because it is just in a development stage. However, you should follow a step-by-step guide given below and finish the elimination of this ransomware.

Moreover, do not try to carry out CTB Locker virus removal process on your own as even more damage might be caused! You might miss some malicious components and the infection might start running malicious processes right after the next computer boot. Note that anti-malware tools are more trustworthy at these tasks as they can complete multiple actions very fast: scan the system, detect malicious software, remove the threats.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove CTB Locker virus, follow these steps:

Remove CTB Locker using Safe Mode with Networking

In case CTB Locker blocks your antivirus and you cannot run the system scan to remove it, please follow the instructions we provide below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CTB Locker

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CTB Locker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CTB Locker using System Restore

Another method which can be used to decontaminate the virus and run the antivirus is presented here:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CTB Locker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CTB Locker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CTB Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by CTB Locker, you can use several methods to restore them:

Our recommendations on Data Recovery Pro application

To learn how to use Data Recovery Pro and recover your files automatically, check out the guide indicated below:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by CTB Locker ransomware;
  • Restore them.

Useful tips on how to use the Windows Previous Versions feature

Windows Previous Versions feature operation instructions are presented below. However, before you try to recover your files using this technique, make sure that you have enabled System Restore function sometime before the ransomware attack. Otherwise, this data recovery method will not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer usage instructions:

ShadowExplorer can only be used in cases where ransomware does not delete Volume Shadow Copies of the files. In case you are infected with CTB Locker version which keeps these files intact, you may try these instructions:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Currently, cybersecurity experts have been working on the CTB-Locker ransomware decryption tool.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CTB Locker and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages


  1. Fleur says:
    November 30th, 2014 at 6:42 pm

    Contrary to whats mentioned above: The CTB Locker will also encrypt dropbox files. If you have synced your computer with dropbox, your files will appear encrypted on the dropbox server soon enough. Hence; it is not enough to have dropbox as your only backup.. We had this problem and have not found a solution to restore our (dropbox) files yet..

  2. Mrc says:
    April 5th, 2016 at 11:01 am

    I dont know if it is the same for Dropbox, but in OneDrive, there is a version history, in which you can restore your files to previous versions – which are stored online for quite some time.

  3. Selvi G says:
    January 30th, 2015 at 3:51 pm

    My personal files are encrypted with the CTB locker, can any one help.
    Contact number: +91-8105586478

  4. jEM says:
    February 3rd, 2015 at 5:50 pm

    can my files get recover then

  5. Farhad says:
    February 28th, 2015 at 7:34 am

    Dear sir, My pc was infected with ctb-locker and my file became encrypted. then I formated my C drive and I thought the virus may clean. but unfortunately after reinstallation of windows my files in my D drive was the still encrypted. Now the solution you posted in this page is not applicable in my newly installed windows OS. What will be the solution for my case???

    A beneficial advise my be highly appreciated.
    Best regards

  6. Shankar says:
    April 17th, 2015 at 8:18 am

    My personal files are encrypted with the CTB locker, can any one help.
    Contact number: +91-8391821124

  7. vikas says:
    April 18th, 2015 at 8:51 am

    Dear sir, My pc was infected with ctb-locker and my file became encrypted. then I formated my hdd drive and I thought the virus may clean. but unfortunately after reinstallation of windows my files in my D drive was the still encrypted. Now the solution you posted in this page is not applicable in my newly installed windows OS. What will be the solution for my case???and my all data loss , solution data recovery , help me

    A beneficial advise my be highly appreciated.
    Best regards

  8. FRAJ says:
    April 29th, 2015 at 3:36 pm

    Please Help me how to save my encrypted file please help me 8801840317337

  9. Mel says:
    June 15th, 2015 at 12:44 am

    One of my friends connected his iPhone to my laptop to play songs thru iTunes. I suspect he had infected files on his phone that got moved to my laptop – which now has CTB Locker.

    Malwarebytes “discovered” a lot of files, but did not eradicate CTB Locker.

  10. johndoe says:
    July 9th, 2015 at 7:37 pm

    First of all people the virus can be removed from your computer and your files can be recovered there are hidden under a folder not visible to you at the time. Although he is informative on the history of viruses. Think about it. if you were trying to actually help with this isssue.. Name the program that your using . give credit to the developers of the software by naming them since its really them who did it not you. your just telling people you found a program that works and passing of as a IT specialist.

  11. Jeffrey says:
    November 2nd, 2015 at 3:09 am

    CTB encrypts everything it can find. It would be good to correct that in the instructions above. We were able to reverse the virus by rolling back (Rollback Rx) – similar to Windows system restore.

  12. Scott says:
    December 24th, 2015 at 2:10 am

    I am a professional photographer. A few weeks ago my computer was attacked by CTB-LOCKER the one with the black screen and code KEY. Proven Data Recovery has been able to identify the VARIENT of the virus I have. It is – RSA-2048 CTB-Locker encryption virus.
    They want 2,600 for the decryption of 300 image files that this virus has encrypted on a SD CARD. The computer still reads close to 900mb of data on the card and I have been told by multiple sources that there is a chance my images are still there, but I have had no luck and its going to take me quite some time to come up with this money so in mean time I am exploring other options and learning more about computers and code than I would otherwise have never cared to.
    It angers me to no end that people can actually even do this. That they can hurt total strangers in this away. Hurt their jobs. Effect their lives just for the sake of doing so and then dangle our data in front of us so we freak out and jump. I refuse to pay this RANSOM and it is frustrating to no end that the supposed GOOD GUYS want WAY THE HELL MORE!! Its very backwards to me and does not seem right. It is almost impossible to get a simple strait answer from people in this area and there is a lot of double talk and I have bad a couple people remote access my computer and I see them try things even I have tried.
    The files that are blocked were never on my hard drive. I didnt even have time to make a hard copy. One moment they were find and the next they were encrypted. I have done 2 system restored and a factory restore and computer has updated protection but the files remain locked on my card.
    Is there any effective decryption for CTB-LOCKER – RSA-2048 CTB-Locker encryption virus
    What are the odds? Is it even worth saving all this money for these people? He did ID the variant. Even that came as a shock. Its all I have to go on. Maybe, if you think you have a solution for me of course I would be willing to work put pay arrangement but I would need to see at lest SOME proof. Maybe do one or two that I can see. There are 300 on the card and I am really quite desperate for this material, or to be told convincingly and enough times that all hop is lost. I am not at that point yet.
    Thanks for your time
    Sincerely

    Scott Str8onthe8@yahoo.com

  13. maahnaz says:
    January 18th, 2016 at 3:54 pm

    hi, Im from iran.my personal pictures are encrypted with the CTB locker.i use the method1 for windows7 and i inestall spyhunter4 and scan my computer. it found 78 threats. and need to ” fix threats”. and that need to be registry with credit card. unfortunately i dont have a credit card. what can i do? please help me.

  14. Severine says:
    February 19th, 2016 at 2:47 pm

    SpyHunter removed this virus, thanks GOD! However, my files are left encrypted, however, I am not going to pay the CTB Locker ransom. Theres no way I am supporting these cyber criminals. Screw them!

  15. descarcons says:
    February 19th, 2016 at 2:48 pm

    does anybody know how to decrypt the files??! please help! i have removed the virus but i need to get my files back!

Your opinion regarding CTB Locker virus