CryptoLocker is a malware that gained notoriety for infecting computers between 2013 and 2014. When the malware infects your computer, it will seek for files to encrypt, including hard drives and connected media. Computers that run old versions of Windows are very susceptible to the malware. When the malware was active between 2013 and 2014, it was able to infect has infected an estimated 500,000 computers.
In recent years, CrytoLocker has spawned a few clones, including Cryptowall, CryptoLocker, and TorrentLocker. They all use similar methods for infection.
What Does CryptoLocker Ransomware Do?
Once it successfully infects your computer, the malware will look for files and folders to encrypt with asymmetric encryption, an encryption technique that relies on two keys, one private and the other public. To decrypt the data, a user has to have the private key. Some of the file types that are encrypted by the ransomware include:
- Microsoft Word document (file name ends with .doc or .docx)
- Microsoft XSL document (.xsl or .xslx)
- XML document (.xml or .xslx)
- Zipped folders and PDFs
How CryptoLocker Infects Computers
CryptoLocker uses social engineering to infect computers. The victim usually receives an email with an attachment that comes with a password. When the user opens the attachment with the assigned password, the malware quickly and discretely installs itself by taking advantage of the Windows default behavior of hiding the .exe from file names. Once the malware has infected your computer, it takes the following steps:
- Creates a folder in the user’s profile (AppData, LocalAppData)
- Adds a registry key which makes the malware run every time the computer starts
- Creates two processes of itself: the main process and another process that protects the main process from termination.
How to Remove CryptoLocker
Luckily for you, CryptoLocker is no longer a major ransomware threat because it has been long dealt with by the likes of the FBI and the NSA. Even so, it can still infect your computer if you are using a really old Windows version such as Windows XP or some Windows 7 version that has not been updated for a really long time.
The anti-malware solution will scan your PC and remove all bits of the dangerous program. It will also provide protection against any future attacks by similar malware.
To get rid of the CryptoLocker malware with the help of antivirus, you will need to run your computer in Safe Mode with Networking. That way, you can isolate all the active programs of the malware. Here is how to enable Safe Mode with Networking on older versions of Windows:
Starting Windows 7/Vista/XP in Safe Mode with Networking
- Restart your computer and immediately hit the F8 button in 1-second intervals.
- After your computer runs a hardware test, the Advanced Boot Options menu will appear.
- Use arrow keys, select Safe mode with networking.
Starting Windows 8 in Safe Mode with Networking
- Press the Windows + C keys, and then click Settings.
- Click the power button while holding the Shift key on your keyboard, and then click Restart.
- Your computer will restart by displaying the Choose an option Click Troubleshoot.
- Click Advanced options.
- Click Startup Settings.
- Click Restart.
- Use the arrow keys to select the Enable Safe Mode with Networking Alternatively, press 5 on your keyboard.
Safe Mode with Networking will allow you to access network resources that can be used to download anti-malware or seek additional help on a Windows blog like this one. Be warned, however, that there is no way to recover your files once they have been encrypted by the ransomware. And while you might be tempted to pay the ransomware amount to the criminal networks behind the ransomware, please don’t. It will only embolden them to create even more serious threats in the future.
If Safe Mode with Networking fails to remedy your situation, you can use the System Restore option to return Windows to an earlier working state.
System Restore in Windows XP
- Restart your computer.
- Press the F8 key repeatedly as the computer restarts.
- On the Windows Advanced Options screen, select Safe Mode with Command Prompt.
- Log in as Administrator.
- On the Command Prompt, type: %systemroot%\system32\restore\rstrui.exe
- Follow the onscreen directions to complete the system restore process.
System Restore in Windows 7
- Boot your Windows.
- Press and hold the F8 button repeatedly before the Windows 7 logo appears.
- On the Advanced Options screen, choose Safe Mode with Command Prompt.
- Login as administrator when prompted.
- On the Command Prompt, type rstrui.exe.
- Follow the onscreen directions to complete the process.
When using the System Restore option to make changes to your computer, you will always be informed of the programs and settings that will no longer be available when the process is complete.
Supposing that you have done all the above and more and you still cannot get rid of the CryptoLocker ransomware, what do you do next?
Remember that you still have the nuclear option of resetting your computer or installing a fresh new version of the Windows OS.
Protect your Computer from CryptoLocker Ransomware
How do you protect your computer from ransomware such as CryptoLocker? Here are a few strategies that might prove helpful:
- Always have an antivirus program installed on your computer and make sure that your choice of anti-malware is not any of those free versions.
- Create a backup of files that are important to you as that way, even when you are hit by ransomware, you can still recover them.
- Update your operating system to the latest version. Windows 7, 8 and Windows XP were once marvels but they no longer are. Some like Windows XP are no longer supported.
- Use internet protection to access sites. It will prevent you from interacting with suspicious content such as fake advertisements and spams.
- Be wary of suspicious emails and attachments from sources that you are not familiar with. Also, don’t share your personal information with anyone you are not on a first-name basis with.