Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player


Crypt0L0cker ransomware decryption techniques

Learn what kind of a virus Crypt0L0cker is, how it infects Windows computers, what types of files it encrypts, how to remove it and decrypt hostage data.

Crypt0L0cker, alias TorrentLocker, is a cryptography-backed infection that takes victims’ personal data hostage. Referred to as ransomware, this category of malicious code has been at the very apex of computer threat landscape for years. The perpetrating program under analysis contaminates Windows machines via booby-trapped email attachments that look interesting enough for recipients to open them. When inside, Crypt0L0cker scans the local hard drive, removable media and network drives for widespread types of files. This scan runs in the background, so there isn’t much chance that the user takes notice of it. The ransomware skips files that are necessary for stability of the operating system, including ones with the .exe, .dll, .cmd, .scr, .lnk, .sys, .bat, .msi, .ico, .ini and some others. This is a smart move as it allows the extortion cycle to go all the way.

Crypt0L0cker ransom note called HOW_TO_RESTORE_FILES.html

Earlier iterations of Crypt0L0cker would concatenate the .enc or .encrypted extension to every data entry that underwent the enciphering. The variant currently in rotation has a different take on this file labeling. It uses extensions consisting of six random characters. Moreover, every single scrambled file gets a unique string appending it. For instance, two sample files Article.docx and Sunrise.jpg will turn into something like Article.docx.biqxtu and Sunrise.jpg.oynadx, respectively. An arbitrary folder with these messed-up files will also contain two editions of ransom notes. One is called HOW_TO_RESTORE_FILES.html and HOW_TO_RESTORE_FILES.txt. The alert part in them says, “Warning, we have encrypted your files with Crypt0L0cker virus. Your important files (including those on the network disks, USB, etc.): photos, videos, documents, etc. were encrypted with our Crypt0L0cker virus. The only way to get your files back is to pay us. Otherwise, your files will be lost.”

This combo of documents isn’t only about telling the victim what happened. They are also decryption how-to’s instructing the infected users to install Tor browser and visit their personal page titled “Buy Decryption”. The page provides the amount of the ransom payable in cryptocurrency, the Bitcoin address to submit it, and the deadline for paying up. The price of full recovery is usually about 0.5 BTC, and it doubles in five days. Security analysts have been trying hard to defeat Crypt0L0cker’s encryption, to no avail. Under the circumstances, if you are infected with this nasty virus, consider trying several workarounds that have helped ransomware victims reinstate their data without sending the ransom to crooks.

How to recover Crypt0L0cker-encrypted files without submitting the ransom

A brief disclaimer: the techniques described below do not actually decrypt the locked data. Instead, they provide viable workarounds for exploiting probable imperfections of the way that this virus implements the crypto and handles the victim’s files. Although it’s premature to assert whether or not these tips will do the trick in your situation, nothing more efficient has been invented to date. Without further ado, peruse the following methods to mitigate the harm from the ransomware compromise.

  • Use Volume Shadow Copy Service (VSS) to your advantage

    In case you didn’t know, Shadow Copies represent Microsoft Windows’ feature for file backup. The operating system makes point-in-time snapshots of files over the course of critical updates and the creation of System Restore points. Normally, the Zepto ransom Trojan disables VSS on early stages of the attack, but chances are it fails to.

    Nevertheless, it certainly won’t hurt to try this: for a start, download and install Shadow Explorer app. It is a free solution that displays the file hierarchy in a user-friendly way and automates the process of retrieving the previous versions of files and folders. You can easily export data by right-clicking the object of interest and selecting the corresponding option as shown on the picture below.

    Shadow Explorer

  • Try data recovery software

    These types of solutions were originally designed for forensic purposes as well as to restore the information that was obliterated accidentally or due to hardware failures. Their scope of use has expanded with the emergence of cryptographic infections like Crypt0L0cker. Again, this isn’t a cure-all, but it may help under certain circumstances. So go ahead and download ParetoLogic’s Data Recovery Pro, have your computer scanned for recoverable data and follow the program’s directions to proceed with the file rescue activity.

    Data Recovery Pro

  • Use backups, they’re indispensable

    Nothing beats backups when ransomware attacks your computer. No matter if your files are backed up to an external piece of hardware or a cloud provider, everything can be downloaded back to the machine in a few clicks. Just make sure you have removed the ransomware before retrieving the data, otherwise the crypto routine will repeat.

Prevent ransomware attacks further on

In order to be a moving target for crypto malware like Crypt0L0cker, it’s recommended to patch potentially vulnerable software (Adobe Flash Player, Java) on a regular basis, refrain from opening fishy email attachments, keep macros in Microsoft Office documents disabled, use a dependable antimalware suite, and of course maintain secure backups of the most valuable files.