The newest variants of CTB Locker typically appends encrypted data files with a 6-7 length extension consisting of random characters
. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. Compounding matters, the newer CTB-Locker infection has been seen in combination with KEYHolder
, Torrent Locker
(fake Cryptolocker) or Cryptowall
Newer variants of CTB Locker will attempt to delete all Shadow Volume Copies when you first start any executable so that you cannot restore your files via System Restore
or using a program like Shadow Explorer
...but it never hurts to try. At this time there is no fix tool and unfortunately, still no known method to retrieve the private key that can be used to decrypt your files
since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. With dual infections, that means paying both ransoms.
A repository of all current knowledge regarding this infection is provided by Grinler
(aka Lawrence Abrams
), in this topic: CTB Locker and Critroni Ransomware Information Guide and FAQ
There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion
Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. To avoid unnecessary confusion...this topic is closed.
The BC Staff