CBT-Locker Ransomware

Posted on 2015-02-04
Last Modified: 2015-02-19
one of my clients received this extortion malware and want to know what the best possible solution is to retrieve the documents that it encrypted?

It appears the installed Antivirus (Trend Micro WFBS Advanced v9.0 SP1) deleted the locker program, however, I have not been able to locate a solution to decrypt the files on this PC.

TAGS: Ransomware, CBT-Locker, cryptolocker, cryptoransomware

Any suggestions or solutions?
Question by:ECSI06
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

Trenton Knew earned 350 total points
ID: 40588944
If the user has "Previous Versions" (ms shadow copy service) enabled, that is the easiest way...

right-click an affected folder,  click properties, then Previous Versions.

If you're lucky, you can restore an older version, otherwise, with no backup, you're in REALLY bad shape.

There are some tools on the internet for decrypting crypolocker files, (such as for example) but they don't work with every algorithm of this threat.  so results are shaky at best

Author Comment

ID: 40589043
I actually have an offsite backup for all of the document files (Word, Excel, Photos, Etc.) on this pc from last week, however, will those files be infected too? Should I just remove this infected hard drive and install a new hard + O/S and attempt to the restore the data files?

If I attempt to restore this system from an ms shadow copy or use the cryptolocker and it fails... I'm not sure how much the ransom demand is yet vs. time left so is it worth considering the ransom (if its a small amount) as opposed to rebuilding the entire system? Or, will the ransom demands just perpetuate and increase based on blocks of data?


Assisted Solution

by:Trenton Knew
Trenton Knew earned 350 total points
ID: 40589807
your offsite backup should be safe so long as they haven't let this problem roll along for an entire week or longer.  even so, you should hopefully have an incremental backup to restore older versions there too.  

See if you can download one of the affected files from the backup to a different computer or flash drive and open it.  If this works, then step one becomes eliminate the virus FIRST.  Malwarebytes would be good for that.  If the backup is NO good On the other hand, removing the virus first might mean your files are gone forever, since the ½ of the encryption key pair is not stored on the remote attacker's server.  

If you decide to succumb to the threat and pay the money, it is imperative that the virus not get removed before your files are decrypted.  If you find yourself in the unfortunate position to have to choose this route, I HIGHLY recommend going to get some kind of prepaid "throw away" gift card.  so that the extortionist cannot use it again.

I hope you don't have to go that route though.
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 150 total points
ID: 40589861
As you have already heard, there is no reasonable way to decrypt the files other than restore from backup or pay the ransom (even then you don't know for sure if you will receive the decryption key).  Your best protection against this is versioning backup offsite (Crashplan, Spideroak, Comodo, etc - NOT dropbox because dropbox is not a backup and they will take more than a few days to process a request for file recovery - they do do versioning though).

Author Closing Comment

ID: 40619620
Thanks for the recommendations as I was able to retrieve some of the items (located within the Users/Documents Folder) from "Previous Versions" on the PC after removing the malware. The "Previous Versions" option did not work with any of the items listed within the Program Files folder(?) Because of the time involved and nature of this "ransom demand", I just decided to install a new hard drive in the pc and reinstall the operating system from scratch,  then, copy the items that I was able to retrieve from the "Previous Versions" options and the offsite data backup location to get 99.99% of the users data restored. In addition, I modified the end user rights from Administrator to a Domain User on this PC!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Display which user(s) is logged in to Access DB over the network 3 47
Windows Security Pop-Up 7 73
CDC and AOG on MS SQL 2012 13 40
Hard Disk Encryption - Recommendation 8 42
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question