Remove Cryptolocker Ransomware Virus ( Update April 2017 )

Remove CryptoLocker Ransomware Virus

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article is created to help you remove CryptoLocker ransomware and restore files encrypted by it’s variants(.cryptolocker, .powned and other encrypted files)

Ever since the original CryptoLocker caused quite a stir back three years ago, the ransomware virus has been the source for many variations of it and updated versions that have continued to infect users in 2017. Even though law enforcement agencies have continued to taken down this ransomware virus in an operation, called Tovar, cyber-criminal groups have created multiple copycats and updated the original virus as well. Cryptolocker 2017 is the latest updated version of the virus and features the utilization of the RSA-2048 encryption algorithm which generates a unique encryption key for each encrypted file. And just like the other versions, we see the message demanding 0.5-1.5 BitCoins to be paid to get the files back. In case you have been infected by the Cryptolocker 2017 infection, we recommend reading this article to learn how to remove this virus and restore files encrypted by it.

Threat Summary



Short DescriptionCryptoLocker 2017 encrypts the files on compromised computers, asking a ransom of 0.5 up to 1.5 BTC ransom payoff.

SymptomsThe user witnesses the CryptoLocker ransom note (image above) along with instructions and e-mail contacts (,,,,, and of the cyber-criminals.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by CryptoLocker


Malware Removal Tool

User ExperienceJoin our forum to Discuss CryptoLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoLocker 2017 Virus – How Does It Spread

Behind the infection process of CryptoLocker 2017 lies a sophisticated network of spammers who spread the ransomware using different tactics. Usually, in terms of software used, the crooks take advantage of JavaScript that is malicious or attacks via Exploit Kits, reprogrammed to download the virus’s payload on the compromised computer.

Such tactics may be employed in combination with malicious files that are uploaded on Dropbox accounts as SFX (Self-Extracting archives) or other types of files. In addition to this, the CryptoLocker 2017 virus may also utilize fake program installers, game patching software or programs that are related to patching or licensing software. Such are usually posted on suspicious websites or uploaded via compromised Torrent sites.

In addition to this, the CryptoLocker 2017 virus may also be spread in archives uploaded in e-mail spam messages that aim to convince the user into opening the attachment. Such is also possible, if web links, linking to Dropbox accounts are embedded within the e-mails. The convincing messages may be of different types, as criminals have pre-written spam templates they send out massively, for example:

  • “Your PayPal Receipt.”
  • “Your eBay order has been confirmed.”
  • “Open the attachment to see your new credit card number.”
  • “Your account has been suspended.”

Once these e-mails are sent and the victim believes the statements in them and opens the attachment, he becomes infected with a loader or a dropper that is obfuscated. This obfuscated program may connect to a remote cyber-criminal server and download the payload of Cryptolocker 2017. The payload may consist of the following malicious files being created:

→ %AppData%\WinDsk\windsk.exe or sysras.exe

From there, the malicious activity of CryptoLocker 2017 begins.

CryptoLocker 2017 Ransomware – Malicious Activity

The malicious activity of CryptoLocker is to insert code in legitimate Windows processes and files responsible for the Windows Registry editor. This is due to the fact that CryptoLocker ransomware controls the regedit.exe to modify the following subkey adding a custom value in it:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ with an added value string – “wincl” = “{location to the malicious executable}”

In addition to this, the virus may have been updated to delete the Shadow Copies of the infected computer and disable system recovery via the bcedit and vssadmin commands:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to those, the virus may have also adopted some of the activity from it’s many copycats and versions, which you can find on the related article below:

CryptoLocker 2017 – Encryption Process

For the encryption process of CryptoLocker ransomware, different types mechanisms are utilized. For starters, the virus uses the XOR encryption cipher which works on the following encryption formula:

For the encryption process, CryptoLocker does not attack many file types, but instead is focused only on important documents, like PDF files, presentations, documents and Adobe Photoshop files. The files for which CryptoLocker ransomware scans for to encrypt are reported to be the following:

→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx

After the encryption process is complete, the ransomware renders the files on the compromised computer no longer able to be opened and leaves behind it’s ransom note where it’s demands are stated:

“Support e-mail:
Your personal files encryption produced on this computer: photos, videos, documents, etc.
Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The singe copy of the private key, which will allow to decrypt the files,
Located on a secret server on the Internetl the server will destroy the key after XX hours.
After that nobody and never will be able to restore files
To obtain the private ke for this computer you need to pay XX Bitcoin (~XX USD)
Your Bitcoin address:
{Address key}
You must send XX Bitcoin to the specified address and report it to e-mail customer support.
In the letter must specify your Bitcoin address to which the payment was made.”

Whatever the case may be, reccomendations are always not to pay any ransom and backup the encrypted files and look for alternative solutions, like the ones below.

Remove CryptoLocker Virus and Restore Encrypted Files

Before beginning the removal process of CryptoLocker ransomware, we recommend you to focus on backing up the malicious files of this ransomware infection prior to performing the removal.

For an effective and successful removal to take place, we advise following the removal instructions posted at the end of this article. They are specifically designed to help you isolate CryptoLocker before hunting down the files. In case manual removal may be a challenge and you feel unsure, experts always advise removing CryptoLocker automatically. The best way to do this is by using a particular anti-malware software which automatically removes all objects related to CryptoLocker from your computer.

File Recovery

In case you have been infected by the PClock variant of Cryptolocker, make sure to use the Emsisoft Decrypter for PClock available on their web page. But beware, because CryptoLocker 2017 may look the same as PClock at first glance. This is why we recommend trying this decryption method only after you have created copies of the encrypted files.

The same goes if it doesn’t work and you try the alternative methods which we have also suggested in step “2. Restore files encrypted by CryptoLocker” below. They are not 100% effective, but with their aid, you may restore a great portion of your encrypted files.

If you have been infected by another version of CryptoLocker 2017 ransomware, you can also check FireEye’s webpage for more information.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share