The newest variants of CTB Locker
typically appends encrypted data files with a 6-7 length extension consisting of random characters
. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. Compounding matters, the newer CTB-Locker infection has sometimes been seen in combination with KEYHolder
, Torrent Locker
(fake Cryptolocker) or Cryptowall
A repository of all current knowledge regarding this infection is provided by Grinler
(aka Lawrence Abrams
), in this topic: CTB Locker and Critroni Ransomware Information Guide and FAQ
Unfortunately there is no fix tool and no known method to retrieve the private key
that can be used to decrypt your files without paying the ransom. With dual infections, that means paying both ransoms. Brute forcing the decryption key is not a realistic option.
CTB Locker will attempt to delete all Shadow Volume Copies when you first start any executable so that you cannot restore your files via System Restore
or using a program like Shadow Explorer
...but it never hurts to try in case the infection did not do what it was supposed to do. You may may even be able to use file recovery software
such as R-Studio or Photorec to recover some of your original files.
There is also an ongoing discussion in this topic: CTB Locker Ransomware Support & Discussion
Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.
The BC Staff