We help IT Professionals succeed at work.

files are encrypted by CTB-Locker

how to decrypt
Comment
Watch Question

In my experience there is in fact no way to fix this issue. With some of the older versions of CTB-Locker you could go to each file and do previous version but you can not do this anymore.
Most Valuable Expert 2015
Commented:
If you have already received the ransom note, it is too late. You will have to restore your files from your backups (after you have cleaned off the infection).

If the ransom note hasn't yet appeared, first make sure the virus is removed. After that you can search for a temporary directory on your disk where the original files have been copied to, or you can right click the file and and check for previous versions (as mentioned above).

Whatever you do, it is very important NOT to pay the ransom. Another thing that I would recommend you do, is before changing anything on the PC, inform the local law enforcement authorities. They might want to look at the PC so that they can eventually trace the crooks.
You really need to restore from backup.  Without a shadow copy or version backup you are pretty much out of luck, unless you want to pay the ransom.  If you go that route, don't delete any files as all are needed to decrypt and be sure they will give you the decryption key and that it will work (they will probably decrypt a single file for a small fee).
Dr. KlahnPrincipal Software Engineer

Commented:
The above comments are correct.  The encryption keys are now generated randomly and it is ... not impossible, but impractical, in terms of human lifetimes to break the key.

If you pay the ransom, you may or may not get the system unlocked.  Survey results indicate about 2/3 of ransom payments result in a key being delivered within six months.

Even if you do get the system unlocked, you will never be able to trust that system again.

So you might as well either restore from the most recent full backup, or reload from scratch.
I wholeheartedly agree with above.
Most Valuable Expert 2013

Commented:
And really this is a duplicate of your question here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_28623440.html#a40636840

Where you've already been told all of this - I know this isn't what you want to hear but you are not going to get these files back unless you have back-ups.   You have only two ways to decrypt:

- pay the ransom to the criminals - in Bitcoin and at thousands of $$

- Try brute force decryption - but with a random AES-256 key you could spend the rest of your life (and the lives of your descendants) before statistically you would find the key.

There is no magic solution :(
btanExec Consultant
Distinguished Expert 2019

Commented:
No way out as mentioned already and applies to anyone infected by the ransomware. Disconnect the machine and not plug in any external storage or share those used in the machine before unless cleaned up and checked by AV minimally

Author

Commented:
what about data recovery on a day before the problem ?
Most Valuable Expert 2015

Commented:
From your backup of the day before, sure. But if what you mean is a System restore from Windows built-in System Protection using a restore point, or by using previous versions of files using shadow copies, that doesn't work anymore after you have received the ransom note, as restore points and shadow copies get deleted by the ransomware before the note is shown.

Author

Commented:
not back up ...no back up

 what about data recovery using recovery software
If you are trying to recover the current files that have been encrypted, not that I know of. Recovery software can't handle this encryption.
Most Valuable Expert 2015

Commented:
As far as I know it does a secure erase, so data recovery would be futile. But you can always scan the disk using getdataback...

Author

Commented:
is it possible to recover files before the incident stage
Most Valuable Expert 2015

Commented:
Before the encryption is completed, yes, but after that, no.

Author

Commented:
so what is the solution ? any decryption method or recovery method ?
Most Valuable Expert 2015

Commented:
But I don't see the point of trying and wasting time and resources and money. Files of which there are no backups of, can't be important.

Author

Commented:
important , but customer didnt take backup
Most Valuable Expert 2015

Commented:
No, as we have tried to tell you multiple times, there is no solution, except to cut your losses and start fresh.

Take your backups more seriously in the future.

Author

Commented:
there should be some decryption method using by decryption company , which need to find out
Most Valuable Expert 2013

Commented:
But there isn't!  

The nature of data encryption is that is is secure, otherwise why would anyone use it legitimately?

When used for malicous reasons it is still secure.

What is it about our responses that has failed to convince you that this can't be fixed?
Once you have received the popup, your files have been encrypted with very strong encryption  (would take many many years of brute force decryption with a powerful computer before you made a dent in it). If there is no backup,  then the user either needs to take the loss or pay the ransom.
btanExec Consultant
Distinguished Expert 2019
Commented:
there isnt any and if there is one, pls do not fall for it as it may be false impression. the probable means to break asymmetric keys (knowing the private key, and it seems to encrypt using elliptical curve cryptography, it even tougher) is just not a easy fare and worth the efforts. if the crypto to decrypt can be bypass and easily, all these crypto algorithm used widely will be flawed which is not the case. Only means as mentioned multiple times include http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

Method 1: Backups
Method 2: Shadow Volume Copies
Method 3: Restore DropBox Folders
Method 4: File Recovery Software (CTB Locker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. You can try but very low chance even if you try using file recovery software such as R-Studio or Photorec to recover some of your original files. Do note the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files)

The learning is to (really) educate also customer to consider the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive. http://windows.microsoft.com/en-us/windows/previous-versions-files-faq#1TC=windows-7

Move ahead and let's not cry over spilled milk. Build up the defence and consider also tool such as "CryptoPrevent" (FoolishIT LLC) * I am not suggesting paying the ransom though*