files are encrypted by CTB-Locker

how to decrypt
techpAsked:
Who is Participating?
 
rindiCommented:
If you have already received the ransom note, it is too late. You will have to restore your files from your backups (after you have cleaned off the infection).

If the ransom note hasn't yet appeared, first make sure the virus is removed. After that you can search for a temporary directory on your disk where the original files have been copied to, or you can right click the file and and check for previous versions (as mentioned above).

Whatever you do, it is very important NOT to pay the ransom. Another thing that I would recommend you do, is before changing anything on the PC, inform the local law enforcement authorities. They might want to look at the PC so that they can eventually trace the crooks.
0
 
jaustinMDCCommented:
In my experience there is in fact no way to fix this issue. With some of the older versions of CTB-Locker you could go to each file and do previous version but you can not do this anymore.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
You really need to restore from backup.  Without a shadow copy or version backup you are pretty much out of luck, unless you want to pay the ransom.  If you go that route, don't delete any files as all are needed to decrypt and be sure they will give you the decryption key and that it will work (they will probably decrypt a single file for a small fee).
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Dr. KlahnPrincipal Software EngineerCommented:
The above comments are correct.  The encryption keys are now generated randomly and it is ... not impossible, but impractical, in terms of human lifetimes to break the key.

If you pay the ransom, you may or may not get the system unlocked.  Survey results indicate about 2/3 of ransom payments result in a key being delivered within six months.

Even if you do get the system unlocked, you will never be able to trust that system again.

So you might as well either restore from the most recent full backup, or reload from scratch.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
I wholeheartedly agree with above.
0
 
☠ MASQ ☠Commented:
And really this is a duplicate of your question here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_28623440.html#a40636840

Where you've already been told all of this - I know this isn't what you want to hear but you are not going to get these files back unless you have back-ups.   You have only two ways to decrypt:

- pay the ransom to the criminals - in Bitcoin and at thousands of $$

- Try brute force decryption - but with a random AES-256 key you could spend the rest of your life (and the lives of your descendants) before statistically you would find the key.

There is no magic solution :(
0
 
btanExec ConsultantCommented:
No way out as mentioned already and applies to anyone infected by the ransomware. Disconnect the machine and not plug in any external storage or share those used in the machine before unless cleaned up and checked by AV minimally
0
 
techpAuthor Commented:
what about data recovery on a day before the problem ?
0
 
rindiCommented:
From your backup of the day before, sure. But if what you mean is a System restore from Windows built-in System Protection using a restore point, or by using previous versions of files using shadow copies, that doesn't work anymore after you have received the ransom note, as restore points and shadow copies get deleted by the ransomware before the note is shown.
0
 
techpAuthor Commented:
not back up ...no back up

 what about data recovery using recovery software
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
If you are trying to recover the current files that have been encrypted, not that I know of. Recovery software can't handle this encryption.
0
 
rindiCommented:
As far as I know it does a secure erase, so data recovery would be futile. But you can always scan the disk using getdataback...
0
 
techpAuthor Commented:
is it possible to recover files before the incident stage
0
 
rindiCommented:
Before the encryption is completed, yes, but after that, no.
0
 
techpAuthor Commented:
so what is the solution ? any decryption method or recovery method ?
0
 
rindiCommented:
But I don't see the point of trying and wasting time and resources and money. Files of which there are no backups of, can't be important.
0
 
techpAuthor Commented:
important , but customer didnt take backup
0
 
rindiCommented:
No, as we have tried to tell you multiple times, there is no solution, except to cut your losses and start fresh.

Take your backups more seriously in the future.
0
 
techpAuthor Commented:
there should be some decryption method using by decryption company , which need to find out
0
 
☠ MASQ ☠Commented:
But there isn't!  

The nature of data encryption is that is is secure, otherwise why would anyone use it legitimately?

When used for malicous reasons it is still secure.

What is it about our responses that has failed to convince you that this can't be fixed?
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Once you have received the popup, your files have been encrypted with very strong encryption  (would take many many years of brute force decryption with a powerful computer before you made a dent in it). If there is no backup,  then the user either needs to take the loss or pay the ransom.
0
 
btanExec ConsultantCommented:
there isnt any and if there is one, pls do not fall for it as it may be false impression. the probable means to break asymmetric keys (knowing the private key, and it seems to encrypt using elliptical curve cryptography, it even tougher) is just not a easy fare and worth the efforts. if the crypto to decrypt can be bypass and easily, all these crypto algorithm used widely will be flawed which is not the case. Only means as mentioned multiple times include http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

Method 1: Backups
Method 2: Shadow Volume Copies
Method 3: Restore DropBox Folders
Method 4: File Recovery Software (CTB Locker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. You can try but very low chance even if you try using file recovery software such as R-Studio or Photorec to recover some of your original files. Do note the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files)

The learning is to (really) educate also customer to consider the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive. http://windows.microsoft.com/en-us/windows/previous-versions-files-faq#1TC=windows-7

Move ahead and let's not cry over spilled milk. Build up the defence and consider also tool such as "CryptoPrevent" (FoolishIT LLC) * I am not suggesting paying the ransom though*
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.