Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomware Infection, Need Help

  • This topic is locked This topic is locked
3 replies to this topic

#1 Soleil8319


  • Members
  • 5 posts
  • Local time:07:32 PM

Posted 19 June 2015 - 05:53 PM

Hey there. So I woke up this morning to discover that my PC has been infected with "ransomware", and all my photos and documents have been encrypted. My music and videos are untouched, though I did find a "ransom note" in my Music folder. Apparently my PC has no Restore Point logged, so I couldn't do a System Restore if I wanted to (It's usually saved restore points automatically in the past). So I have clearly hit a brick wall here. Is there a way to restore my files that doesn't require paying the BLEEPING criminals? Any and ALL information would be most appreciated. Thanks!

BC AdBot (Login to Remove)


#2 Aura


    Bleepin' Special Ops

  • Malware Response Team
  • 19,672 posts
  • Gender:Male
  • Local time:07:32 PM

Posted 19 June 2015 - 11:30 PM

Hi Soleil8319 :)

Depending on the Cryptoware you have been hit with, it might or might not be possible to recover your files. Can you copy and paste the content of the ransom note here? Also, what's the name of the ransom files? What type are they (.txt, .htm, .bmp, .jpg, .html, etc.)?

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

#3 Soleil8319

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:32 PM

Posted 21 June 2015 - 07:22 PM

HEy so the ransom note is this:


Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

Open http://43qzvceo6ondd6wt.onion.cab or http://43qzvceo6ondd6wt.tor2web.org
in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from http://torproject.org

2. In the Tor Browser open the http://43qzvceo6ondd6wt.onion/
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.

Follow the instructions on the server.


It has affected all document and files types including pds, ai, and pdf, but no mp3 or video files were affected

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,733 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 PM

Posted 21 June 2015 - 07:38 PM

The newest variants of CTB Locker typically appends encrypted data files with a 6-7 length extension consisting of random characters. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. Compounding matters, the newer CTB-Locker infection has sometimes been seen in combination with KEYHolder, Torrent Locker (fake Cryptolocker) or Cryptowall ransomware.

A repository of all current knowledge regarding this infection is provided by Grinler (aka Lawrence Abrams), in this topic: CTB Locker and Critroni Ransomware Information Guide and FAQ

Unfortunately there is no fix tool and no known method to retrieve the private key that can be used to decrypt your files without paying the ransom. With dual infections, that means paying both ransoms. Brute forcing the decryption key is not a realistic option.

CTB Locker will attempt to delete all Shadow Volume Copies when you first start any executable so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. You may may even be able to use file recovery software such as R-Studio or Photorec to recover some of your original files.

There is also an ongoing discussion in this topic: CTB Locker Ransomware Support & Discussion.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users