files are encrypted by CTB-Locker

how to decrypt
techpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jaustinMDCCommented:
In my experience there is in fact no way to fix this issue. With some of the older versions of CTB-Locker you could go to each file and do previous version but you can not do this anymore.
0
rindiCommented:
If you have already received the ransom note, it is too late. You will have to restore your files from your backups (after you have cleaned off the infection).

If the ransom note hasn't yet appeared, first make sure the virus is removed. After that you can search for a temporary directory on your disk where the original files have been copied to, or you can right click the file and and check for previous versions (as mentioned above).

Whatever you do, it is very important NOT to pay the ransom. Another thing that I would recommend you do, is before changing anything on the PC, inform the local law enforcement authorities. They might want to look at the PC so that they can eventually trace the crooks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas Zucker-ScharffSolution GuideCommented:
You really need to restore from backup.  Without a shadow copy or version backup you are pretty much out of luck, unless you want to pay the ransom.  If you go that route, don't delete any files as all are needed to decrypt and be sure they will give you the decryption key and that it will work (they will probably decrypt a single file for a small fee).
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Dr. KlahnPrincipal Software EngineerCommented:
The above comments are correct.  The encryption keys are now generated randomly and it is ... not impossible, but impractical, in terms of human lifetimes to break the key.

If you pay the ransom, you may or may not get the system unlocked.  Survey results indicate about 2/3 of ransom payments result in a key being delivered within six months.

Even if you do get the system unlocked, you will never be able to trust that system again.

So you might as well either restore from the most recent full backup, or reload from scratch.
0
Thomas Zucker-ScharffSolution GuideCommented:
I wholeheartedly agree with above.
0
☠ MASQ ☠Commented:
And really this is a duplicate of your question here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_28623440.html#a40636840

Where you've already been told all of this - I know this isn't what you want to hear but you are not going to get these files back unless you have back-ups.   You have only two ways to decrypt:

- pay the ransom to the criminals - in Bitcoin and at thousands of $$

- Try brute force decryption - but with a random AES-256 key you could spend the rest of your life (and the lives of your descendants) before statistically you would find the key.

There is no magic solution :(
0
btanExec ConsultantCommented:
No way out as mentioned already and applies to anyone infected by the ransomware. Disconnect the machine and not plug in any external storage or share those used in the machine before unless cleaned up and checked by AV minimally
0
techpAuthor Commented:
what about data recovery on a day before the problem ?
0
rindiCommented:
From your backup of the day before, sure. But if what you mean is a System restore from Windows built-in System Protection using a restore point, or by using previous versions of files using shadow copies, that doesn't work anymore after you have received the ransom note, as restore points and shadow copies get deleted by the ransomware before the note is shown.
0
techpAuthor Commented:
not back up ...no back up

 what about data recovery using recovery software
0
Thomas Zucker-ScharffSolution GuideCommented:
If you are trying to recover the current files that have been encrypted, not that I know of. Recovery software can't handle this encryption.
0
rindiCommented:
As far as I know it does a secure erase, so data recovery would be futile. But you can always scan the disk using getdataback...
0
techpAuthor Commented:
is it possible to recover files before the incident stage
0
rindiCommented:
Before the encryption is completed, yes, but after that, no.
0
techpAuthor Commented:
so what is the solution ? any decryption method or recovery method ?
0
rindiCommented:
But I don't see the point of trying and wasting time and resources and money. Files of which there are no backups of, can't be important.
0
techpAuthor Commented:
important , but customer didnt take backup
0
rindiCommented:
No, as we have tried to tell you multiple times, there is no solution, except to cut your losses and start fresh.

Take your backups more seriously in the future.
0
techpAuthor Commented:
there should be some decryption method using by decryption company , which need to find out
0
☠ MASQ ☠Commented:
But there isn't!  

The nature of data encryption is that is is secure, otherwise why would anyone use it legitimately?

When used for malicous reasons it is still secure.

What is it about our responses that has failed to convince you that this can't be fixed?
0
Thomas Zucker-ScharffSolution GuideCommented:
Once you have received the popup, your files have been encrypted with very strong encryption  (would take many many years of brute force decryption with a powerful computer before you made a dent in it). If there is no backup,  then the user either needs to take the loss or pay the ransom.
0
btanExec ConsultantCommented:
there isnt any and if there is one, pls do not fall for it as it may be false impression. the probable means to break asymmetric keys (knowing the private key, and it seems to encrypt using elliptical curve cryptography, it even tougher) is just not a easy fare and worth the efforts. if the crypto to decrypt can be bypass and easily, all these crypto algorithm used widely will be flawed which is not the case. Only means as mentioned multiple times include http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

Method 1: Backups
Method 2: Shadow Volume Copies
Method 3: Restore DropBox Folders
Method 4: File Recovery Software (CTB Locker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. You can try but very low chance even if you try using file recovery software such as R-Studio or Photorec to recover some of your original files. Do note the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files)

The learning is to (really) educate also customer to consider the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive. http://windows.microsoft.com/en-us/windows/previous-versions-files-faq#1TC=windows-7

Move ahead and let's not cry over spilled milk. Build up the defence and consider also tool such as "CryptoPrevent" (FoolishIT LLC) * I am not suggesting paying the ransom though*
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.