Remove CryptoLocker by NTK Ransomware and Restore .powned Files

Remove CryptoLocker by NTK Ransomware and Restore .powned Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you to remove CryptoLocker by NTK ransomware effectively. Follow the ransomware removal instructions at the end of this article.

CryptoLocker by NTK is the name of a ransomware cryptovirus which is still in development. The ransomware looks like to have an implementation of a lockscreen feature. If infection occurs, the CryptoLocker by NTK cryptovirus displays a window with its ransom message that is titled Get P0wn3d.

Threat Summary

NameCryptoLocker by NTK
Short DescriptionThe ransomware is believed to be still in development but can encrypt files and probably has a screenlock function.
SymptomsThe ransomware will display a window containing instructions about payment and will encrypt files while appending the extension .powned.
Distribution MethodStill unknown.
Detection Tool See If Your System Has Been Affected by CryptoLocker by NTK


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptoLocker by NTK.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoLocker by NTK Ransomware – Update

Update! There is now a decryptor tool for this ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: StupidDecrypter.

CryptoLocker by NTK Ransomware – Delivery

As CryptoLocker by NTK ransomware is still in development, it is not known to what tactics its developers will go with, for its delivery. One of the popular ways is with e-mails launched via spam campaigns that contain an attached file with a malicious script inside it. Another way is to spread a payload dropper for the ransomware all over the Internet, featuring Exploit Kits or even social media and file-sharing services. All of those delivery tactics could be combined for maximum effect, although for the moment there is no such thing happening. The ransomware is already being detected by security vendors at the VirusTotal portal:

Check out the ransomware prevention tips written in the forum to see how you can best protect yourself from such infections.

CryptoLocker by NTK Ransomware – Analysis

CryptoLocker by NTK is the name of a ransomware, which is also a cryptovirus. The name has been dubbed by a few malware researchers who have found out that the author of the NTK Ransomware is the same as this one’s. The ransomware is still in development, although it can encrypt files on a computer system with the extension .powned.

CryptoLocker by NTK ransomware might make entries in the Windows Registry aiming to achieve a higher level of persistence. Those registry entries are typically designed in a way that will start the virus automatically with each launch of the Windows Operating System.

The ransom note will appear after the encryption process is finished. The note provides the demands for payment as well as further instructions. At the moment of writing of this article the ransom note is still unfinished. The note of CryptoLocker by NTK opens in a window, which most likely will get developed into a lockscreen feature. You can see that note from the picture below:

That ransom message reads the following:

Tous les fichiers de votre ordinateur on été cryptés par ce virus avec une encryption extrêmement efficace.
Vous ne pouvez dans aucun cas décrypter vos fichiers sauf par un code spécifique.
Pour avoir le code servant à décrypter vos fichiers, contactez moi à ces coordonnées:
Insérez votre code ici:


A rough translation of the ransom message in English, looks like this:

All files on your computer have been encrypted by this virus with extremely efficient encryption.
In no case can you decrypt your files except by a specific code.
To have the code used to decrypt your files, contact me at these coordinates:
Insert your code here:

The criminal who is behind the CryptoLocker by NTK virus has laid out details about payment in the ransom note shown above. The note is not quite finished, and the screen might have a locking feature when the ransomware is completely finished. If you get your PC infected with the malware, you should NOT in any circumstance pay the cybercriminal who is behind it. Nobody could guarantee you that you will get your files recovered.

CryptoLocker by NTK ransomware will most probably seek to encrypt files, which have the following extensions:

→.doc, .docx, .pdf, .db, .jpg, .png, .ppt, .pptx, .txt, .xls, .xlsx

All of the files that become encrypted will receive the extension .powned.

The CryptoLocker by NTK cryptovirus might be modified in the future to delete the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

Remove CryptoLocker by NTK Ransomware and Restore .powned Files

If your computer got infected with the CryptoLocker by NTK ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share