In the computer world there are viruses that damage our files, software and even the CPU of our computers. Cryptolocker is known as a data encryption Trojan that prevents us from accessing important areas of our PC. That is why we are going to talk about how to recover files encrypted by CryptoLocker.
What is CryptoLocker?
CryptoLocker is a Trojan that belongs to the category data hijacking. This type of virus is installed on our computer preventing access to our encrypted files that it has infected.
The creators of this Trojan seek financial gain, since to decrypt the files a good sum of money must be contributed. Cryptolocker has become very popular nowadays for this reason. In general, the way to contaminate our computer is by pretending to be an email. The user thinks it is original, ends up following the steps and downloads a file to run that looks like a PDF.
What can lead us to suspect that it is this Trojan, because the file attached to the email is downloaded as ZIP. Namely, a compressed file and when the PDF document is opened the system does not ask us for permissions to execute it. Giving permission to the file, the computer crashes and everything becomes a mess.
How to remove CryptoLocker?
To remove this virus we need:
- Norton Power Eraser, which allows us to eliminate the malware because it is an antivirus program.
- Malwarebytes Anti-Malware, helps us get rid of any remaining Trojan horse remnants left on the computer.
- EaseUS Data Recovery Wizard, is a program that allows us to restore the documents that are hidden and those that have been deleted.
HACK: If you instantly notice that the virus is invading your computer the indicated thing is to disconnect the network connection to prevent a large number of files from being encrypted.
By downloading the aforementioned tools, you must save the installation files on a pendrive to be able to reboot the system in safe mode where we have network functions.
For computers running Windows 7 and Windows Vista, all you have to do is press the F8 key at boot time para que pueda seleccionar con las flechas del teclado el “Safe mode with networking” Y press the enter key for the option to run.
CryptoLocker encrypts records, first make a copy of them, encrypts them and then deletes the original.
Recover files with EaseUS data recovery wizard
The steps to restore files with the EaseUS Data Recovery Wizard in general are:
- First is to select the hard drive that you have infected and scan it.
- The ideal is run a deep and quick scan so that all the files that were deleted and hidden by the virus are found.
- The program offers you a preview option to restore the data.
- There may be a chance that the program cannot recover encrypted files, to do this, you must restore the operating system with the file history, Shadow Copy is a third party backup and recovery software.
- The other option is to choose the properties of the file that has been encrypted and restore it to the previous version.
In Windows 8.1
The procedure in this operating system is usually longer but simple, to get started you need to hold down the Shift key while clicking restart. Then click Troubleshoot, then in Advanced Options and Startup Settings, then you will have to restart the computer.
Once the system boots and the Startup Settings window appears, press the F5 key. To boot in safe mode, connect the pendrive on which you installed the antivirus (Norton Power Eraser) and run it with the permissions requested by the administrator. Accept the conditions and agreements requested by the antivirus license, then click the Analyze Risks option. Now a message will be displayed requesting to restart the computer, accept and restart in safe mode with active networking.
Once this is done, the antivirus opens automatically and the scan should start. if it doesn't happen, vuelva a hacer clic en la opción “Analizar riesgos”. At the end of the analysis select the Repair Now option, it will be necessary to restart again, but this time the reboot will be normal.
By last, we must make sure that no Cryptolocker residue remains on our computer. install Malwarebytes Anti-Malware and scan again. This application ensures that there is no hidden threat, regardless of whether it is another type of virus.
How to recover our encrypted files
Windows Vista y Windows 7
Usually, users of Windows Vista or Windows operating systems 7 benefit from the option to select older file versions. Usually, when Windows installs an update, creates a hidden backup of our files and, at the same time, create a restore point.
Opening the hidden copy of the records is very simple, we just have to open its location, to do this, click with the right mouse button on the unit in which they were found, luego hacer clic en propiedades y abrir la pestaña “Versiones anteriores”. . There we will find the option where it is the copy dated before Cryptolocker infection.
Then a window will appear with all the files without being encrypted, copy what you need, either just a part or all, moving them to the folders where they are usually found. Remember to follow the instructions provided above, They are located in the Users folder in the Username part.
When you have finished copying all the desired files, in folders that have been restored or in the search box type “.encrypted”, this will show us the files that are encrypted, which we can eliminate directly.
It should be noted that when using the copies that are created in the installation of Windows updates, both in this process and in the following established for Windows 8.1, we will lose files and modifications made since the shadow copy was created.
Windows 8.1
It is important to know that starting with Windows 8 Microsoft has removed access to the shadow copy, being part of the characteristics of the system. Partly, restore points are still kept for you to continue making hidden copies of files on computer.
The difficulty we have in this case is that you have to use a third-party application called Shadow Explorer. Cryptolocker changes the document extensions to “.encrypted”, so that you have to delete the extension to be able to recover them.
Editing the file name is usually a bit tricky, using Microsoft Insider allows you to do it more easily through a script called “.bat” that does it for you. You just have to copy it and send it to execute in each folder where the files are located.
Then, abra Shadow Explorer, go to the folders where the files to restore are located, then right click on them and click Export option.
Choose the folder where you want to restore the hidden copy of the files, this can be the original folder where the files with the extension “.encrypted” or any other were found.
If the original folder is chosen, it will ask if you want to overwrite the files, we will accept. Repeat this process with the folders and files you want to recover and that's it, your computer will return to normal.
