Remove CTB-Faker Ransomware and Restore Locked Files - How to, Technology and PC Security Forum |

Remove CTB-Faker Ransomware and Restore Locked Files


CTB-Faker is ransomware that presents itself as CTB-Locker, but it is just a mere copycat. On top of it all, it does not encrypt files but just gathers them in a .ZIP file archive and locks them with a password. There are a few different contact details left by the ransomware along with different ransom note images. To remove this ransomware and see how you can try to restore your data, you should read the article in full.

Threat Summary

Short DescriptionThe ransomware will lock your files and display a ransom note, which imitates the CTB-Locker ransomware. It also gives an email for contact with the ransomware creators.
SymptomsThe ransomware puts files into a .ZIP archive and locks them with a password.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by CTB-Faker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CTB-Faker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CTB-Faker Ransomware – Infection

CTB-Faker ransomware is distributed through fake profiles on adult sites. On the fake profile page, there is a link to a supposed password-protected video of a girl doing a striptease. The password is provided right next to the link, so it is easy click-bait for people curious to see such videos. A VBS file will launch a fake error message that you graphic card cannot play the file.


A probability exists that there can be spam emails spreading the infection as well. The emails can have attachments or the same texts with links inside them. Opening a link or attachment will get the malicious code on your computer. Social media networks and sites for file-sharing are not excluded to be used for the malware distribution as well. Avoiding infection can be done by being careful and not falling for such suspicious texts and links.

CTB-Faker Ransomware – Information

CTB-Faker is a ransomware which is dubbed like that because of two things. The fact that uses a ransom note very similar to the original CTB-Locker and that it does not encrypt files. Instead, it puts all files inside a .ZIP archive and locks them with a password. Read on, to see how you might get your files back.

Before locking files in the archive, CTB-Faker is going to create these files:

  • C:\ProgramData\7zxa.dll
  • C:\ProgramData\Default.SFX
  • C:\ProgramData\Descript.ion
  • C:\ProgramData\Rar.exe
  • C:\ProgramData\RarExt.dll
  • C:\ProgramData\RarExt64.dll
  • C:\ProgramData\RarFiles.lst
  • C:\ProgramData\UNACEV2.DLL
  • C:\ProgramData\UnRAR.exe
  • C:\ProgramData\Uninstall.lst
  • C:\ProgramData\WinCon.SFX
  • C:\ProgramData\WinRAR.exe
  • C:\ProgramData\Zip.SFX
  • C:\ProgramData\archiver.bat
  • C:\ProgramData\archiver.vbs
  • C:\ProgramData\copy.bat
  • C:\ProgramData\copy.vbs
  • C:\ProgramData\help.exe
  • C:\ProgramData\rarnew.dat
  • C:\ProgramData\restore.exe
  • C:\ProgramData\startup.exe
  • C:\ProgramData\startup.vbs
  • C:\ProgramData\untitled.png
  • C:\ProgramData\untitled.vbs
  • C:\ProgramData\zipnew.dat

Then, the following entry in the Windows Registry is going to be created:

→HKCU\Software\Microsoft\Windows\CurrentVersion\Run\help.exe C:\ProgramData\help.exe

After files get locked with in a .ZIP file, the CTB-Faker ransomware creates a ransom note in the following locations:

  • C:\ProgramData\index.html
  • C:\ProgramData\your personal files are encrypted.txt
  • C:\your personal files are encrypted.txt

You can see one of the pictures with the ransom note below:


In written form the note reads:

Your personal files are encrypted by CTB-Locker
Your documents, photos, softwares and all other important files have been encrypted with a strong encryption (SHA-512) and unique key (RSA-4096), generated for this computer.
Private decryption key is stored on a secret internet server and nobody can decrypt your files until you pay US$50 and get the private key.
You only have 7 days to submit the US$50 of payment. If you do not send the money within the provided time the price will raise to US$100.
Press ‘Decrypt’ to recover your files that have been encrypted after you pay for the unique key password.
Press ‘Internet’ to pay for the unique key password. You can use other computer or smartphone too.
Send 0.08686 bitcoin (US$50) to 1NgrUc748vG5HerFoK3Tkkb1bHjS7T2w5J
After you pay 0.08686 bitcoin send a e-mail to [email protected](.)org with your transaction ID and I will send your private key password. If you have any doubt you can contact this e-mail too.

Warning: Do not try to get rid of the program by yourself. Any action taken will result in decryption ey being destroyed. You will lose your files forever. The only way to recover your files is pay for the key.

The e-mails used for contacting the malware makers are these:

Contacting the CTB-Faker owners is unadvised as paying the asked ransom money gives no guarantee that you will recover your files. Furthermore, there might be ways you can try to restore your files without further consequences. Continue reading to the end of the article to find them out.

The CTB-Faker ransomware claims to use a very strong RSA 4096-bit cipher with a SHA-512 algorithm, but that is not true. The file extensions which the ransomware locks are the following:

→.exe, .msi, .dll, .jpg, .jpeg, .bmp, .gif, .png, .psd, .mp3, .wav, .mp4, .avi, .zip, .rar, .iso, .7z, .cab, .dat, .data

Every file with an extension featured above will be moved and locked in a .ZIP archive, instead of each file being encrypted. CTB-Faker is actually a WinRAR SFX file which puts a lot of executables and batch files in your computer.

The process of moving the files takes up CPU resources so that it might be heavy for your system. Thus, you might actually notice a high load on your computer and see it being slow during this process. It might be a good tip to restart your PC then because that can interrupt the process.

CTB-Faker ransomware is not reported to erase Shadow Volume Copies from Windows, and probably does not need to do so. If no files get deleted from your system, Shadow copies may not help you.

Remove CTB-Faker Ransomware and Restore Locked Files

If your computer machine is infected with the CTB-Faker ransomware, you should have some experience in removing malware. You should get rid of this ransomware when you see how to get your data back. See the step-by-step instructions provided below for more information.
Also, do not forget to see some tips on our forum topic about preventing ransomware infections.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share