43 comments on “CTB-Locker: files decryption demonstration feature

  1. Why not create a tool for anyone who is not very practical decryption like me but who had the pc infected with CTB Locker? Thanks to those who want to respond.

    • Well, it’s not so simple as it seems and I don’t even know if it’s really possible to restore all the original files… I’m trying to get some more info about the malware, I’ll keep you update.

      • I am a professional photographer. A few weeks ago my computer was attacked by CTB-LOCKER the one with the black screen and code KEY. Proven Data Recovery has been able to identify the VARIENT of the virus I have. It is – RSA-2048 CTB-Locker encryption virus.

        They want 2,600 for the decryption of 300 image files that this virus has encrypted on a SD CARD. The computer still reads close to 900mb of data on the card and I have been told by multiple sources that there is a chance my images are still there, but I have had no luck and it’s going to take me quite some time to come up with this money so in mean time I am exploring other options and learning more about computers and code than I would otherwise have never cared to.

        It angers me to no end that people can actually even do this. That they can hurt total strangers in this away. Hurt their jobs. Effect their lives just for the sake of doing so and then dangle our data in front of us so we freak out and jump. I refuse to pay this RANSOM and it is frustrating to no end that the supposed GOOD GUYS want WAY THE HELL MORE!! It’s very backwards to me and does not seem right. It is almost impossible to get a simple strait answer from people in this area and there is a lot of double talk and I have bad a couple people remote access my computer and I see them try things even I have tried.

        The files that are blocked were never on my hard drive. I didn’t even have time to make a hard copy. One moment they were find and the next they were encrypted. I have done 2 system restored and a factory restore and computer has updated protection but the files remain locked on my card.

        Is there any effective decryption for CTB-LOCKER – RSA-2048 CTB-Locker encryption virus

        What are the odds? Is it even worth saving all this money for these people? He did ID the variant. Even that came as a shock. It’s all I have to go on. Maybe, if you think you have a solution for me of course I would be willing to work put pay arrangement but I would need to see at lest SOME proof. Maybe do one or two that I can see. There are 300 on the card and I am really quite desperate for this material, or to be told convincingly and enough times that all hop is lost. I am not at that point yet.

        Thanks for your time



  2. Pingback: CTB-Locker - Security News

  3. Thanks for the analysis!
    If I got the encryption part right, the malware creates a master-private and a master-public key for the server and sends the master-private key (which is then destroyed on the infected machine) to its CC through TOR. This is in contrast to other crypto-ransomware that wait for the CC server to send the master-public key;

    I was wondering what happens if the CC server is never reached (due to no accessibility to TOR for example):
    – Does the malware keep trying to send the master-private key for ever
    – Since the transmission of the master-private key fails once, the malware stops trying to transmit it?

    If it is the first, then does it mean that the master-private key may be recuperated from the memory?

    • That’s an interesting point indeed. Your idea about the key is reasonable but I’m not sure about the presence of the master key in memory right now. I’m still working on it and I hope to understand how things are really working as soon as possible.

      • hi zairon my computer has infected by ctb locker virus and i am unable to revcover my data which is very important i saw your progress here to get rid of this virus did you find any solution to counter this malware shit please help me i am giving you my email for your convenience goldenman_1989@hotmail.com

  4. Pingback: Tools to cryptanalyze files encrypted by CTB-Locker? | DL-UAT

  5. Pingback: Where to find a full analysis of the encryption scheme of CTB-Locker? | DL-UAT

  6. Pingback: Is cryptanalysis of CTB-Locker possible? | DL-UAT

  7. Pingback: Is cryptanalysis of CTB-Locker really impossible? | DL-UAT

  8. I was curious, so I got a sample from http://kernelmode.info. I ran it in a VirtualBox VM with networking disabled. After I copy-pasted the public key to a TOR browser outside the VM, the site allowed me to decrypt two (any) files for free. I uploaded an encrypted text file I created for this purpose, and the hidden server was able to decrypt my file. How could it do it when the malware was never able to communicate with the remote server?

      • In a new WinXP VM, I created a file “important.txt” with the content “foobarbazbax123456789”. I then ran the malware sample I downloaded, which encrypted the files, including this TXT file, and gave me the public key and the link. I visited the link outside of the VM in TOR browser, they asked me for 1.65BTC, and allowed me to upload any two encrypted files to decrypt for free. I uploaded the encrypted “important.TXT.rgzifze”, and they were able to decrypt it, even though CBT-Locker was never able to reach the internet (I disabled it in VirtualBox).

      • There’s no need to access the internet when all the needed informations are secretly included inside the encrypted file. Take a look at my next blog post about CTB, there’s a full description of the real encryption/decryption scheme used by the malware.

  9. Hi dears any one please help me….
    I need to decrypt my files..
    it is very importent
    it was encripted by CTB locker
    it is very very importent files

  10. hi all in my system all files are encrypted by CTB locker what i have do now please help me to remove this virus

  11. hi all in my system all files are encrypted by CTB locker what i have do now please help me to remove this virus

    • When the virus was encrypted file, to restore skype ctblocker please add nick. We will help you recover them. Thanks.

  12. we need a tool to decrypt that 5 files then we can use that 5 files decrypted with another tool to compare original file with encrypted file, like panda anti ramsomeware, this tool need the original file

  13. My name is Scott . I am a professional photographer from Michigan. On August 11, 2015 my computer was infiltrated by hackers utilizing an advanced and evolving hacking and data encryption program. It is not the only one of its kind, however the bad guys are continuing to invent new and more powerful ways to separate people and companies from the things they need the most. It is something that never should happen. It is wrong what these people do and they are doing it every day. They are doing it as I write this. They call it RANSOMWARE. It is a word I myself, a common computer user, had not hear of.
    These programs go by different names. They all do about the same thing, which is to lock you out of your own computer and/or render files on your hard drive inaccessible to you and most people on the planet incidentally. It is a troublesome and disturbing new trend in cybercrime and I feel law enforcement and our government are NOT doing nearly enough to combat these people and their very REAL weapons.
    They seem to be targeting at random. Individuals, Small businesses, and even law enforcement its self. There is a new shared danger in this fluid situation that is different from other computer virus programs in that even with the best protection the government has at its disposal there are people who know how to break in. Once one of these RANSOMWARE programs is able to upload onto your system you may never know it is there until it strikes. When it does, it is very fast and there is nothing you can do to stop it. Your file icons will flicker and disappear. You will see this happen as I did. The files will reappear, but in an encrypted format that MOST people will never break, it seems. You will need to know a lot about computer CODE and DECRYPTION.
    If you start to see your files going away the only thing you can do is unplug your system from the wall or shit it immediately down as fast as u can. Just hit the button!! In some cases doing an immediate system restore and/or factory restore can assist in the recovery of files. It depends a lot on when your last hard drive RESTORE POINT was made. That is something you should often do, particularly if you do a lot of work on your computer and have more files you are dealing with.
    The best thing you can do keep updated copies of important material. On CD as well as computer that is NOT connected at all to the internet. That is want I mostly do. I have computers for networking and I have other for editing and other things. It is best to keep things separate, now more than ever.
    As of this writing there is no decryption for the version of this virus program that has locked my files from me. It is called CTB-LOCKER. It uses RSA-2048 ENCRYPION . Please feel free to google these things so you can learn more about what these programs really are, how they work and how dangerous they really are. Or google RANSOMWARE. I am hopeful that one day soon they will catch these evil people, or the good guys will come up with a solution. Some of these people have actually stopped and released their CODES so people could actually retrieve their data, but every situation is different and no one can say for sure if decryption will ever happen. I know there are a lot of people out there like me who have been victimized by these evil people and I want them to know that I feel their pain. I want to see these evil bad people in court. I want them to know that they have HURT PEOPLE and I want to see them go away for the rest of their lives.
    I want to thank Roxy Lopez again for her courage in taking on this global issue and I thank here again for her time. Hopefully together we can get this very serious issue into a greater light and maybe the bad guys will have less places to hide.

    Scott Matthew Smith

  14. Pingback: A king’s ransom: an analysis of the CTB-locker ransomware | vulnerablelife

  15. is there anyone who did decryption their files infected by CTB-Locker ? However, extention of my files are “.vaegran” thanks in advance.

  16. Hi! very interesting post! I read that this malware, to decrypt a file, mixes 16 bytes of the encrypted file with 16 zeroes (appended at the end), but how does it work? I mean, what part of the result is taken, and how long is the result of this operation? Are zeroes appended in the encryption part as well? I wonder what are the mathematical consequenses of this…

  17. helo , I have some family photos encrypted with ctb locker,



    bitcoin: 1GtcQUHczoUqpxvc5mVTn9TQgRAfPLPU1y

    any solution for decrypt?

    my email:geoneogeo35@gmail.com , help

    • If you haven’t used your computer very much since the infection, you could try a software such as recuva, photorec/testdisk or the like, because ctb locker creates an encrypted copy of the original file, than it deletes the original one, so there’s a chance to recover a few files with a sort of ‘undelete’ operation (though the result is unpredictable, I can’t tell you how many files you can recover, if any). As for decryption, that’s quite impossible.

      • thanks for your info , i know about photorec,encase,r-studio, i didn’t manage to recover because i formatted my pc,that ransome 1500 usd is huge , some people like me gain in a mounth 250 euro, waiting for an ctb locker decryptor

  18. Hallo All.
    If I have the original and encrypted file is it possible to found the key?.
    What i can’t understand: Why is so fast to copy files, encrypt and delete the original?

  19. My spouse and I stumbled over here coming from a different web address and thought I may as well check things out. I like what I see so now i’m following you. Look forward to going over your web page again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s