Remove Trojan.Cryptolocker.AA and Restore .LOCKED Files - How to, Technology and PC Security Forum |

Remove Trojan.Cryptolocker.AA and Restore .LOCKED Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

TypeRansomware, Trojan
Short DescriptionTrojan.Cryptolocker.AA locks the user’s important files and demands a payment. From the CryptoLocker family of ransomware
SymptomsFiles are locked in a ‘.LOCKED’ file format and a ransom message is displayed. Payment instructions are included in a file.
Distribution MethodDistribution method is not clear yet. It may be distributed via unsafe browsing, corrupted attachments, drive-by downloads, malicious apps, etc.
Detection toolDownload Advanced anti-malware tool, to See If Your System Has Been Affected By Trojan.Cryptolocker.AA
User ExperienceJoin our forum to follow the discussion about Trojan.Cryptolocker.AA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


A new ransomware, variant of the notorious CryptoLocker family of Trojans has appeared on the security radar of online threat researchers. It involves the encryption of the user’s important files on his computer after which leaves a ransom note with instructions about how to pay for their unlocking. Even though security experts classify this trojan horse as a low-level type of threat, it can still do damage to your valuable information, this is why a proper anti-malware protection is always good to have around.

Trojan.Cryptolocker.AA – How Did I Get Infected?

One particular strategy cyber criminals use to spread out this trojan is spam email campaigns. They may pose as someone important sending you a business proposition or a company claiming you have won a prize. Some cyber-criminals with higher programming skills and deeper pockets even use spoof mailing software when they make targeted attacks for one machine or several devices on a network. Such spoof emails may be exactly the same as someone inside the network, who is familiar to the user, like a family member, a boss or anybody in his friends/contacts list.

Another method of spreading is by being redirected to a malicious site that downloads the malware as a form of a java or flash player plugin update on the user PC. This is very common for bot viruses on social networks that post videos prompting to download a plugin from an external domain. You can also be redirected if you have a PUP (Potentially Unwanted Program) on your computer.

Trojan.Cryptolocker.AA In Detail

According to Symantec’s report, once activated, this particular trojan may scan for files of the following formats and use different algorithms to prioritize them (ex. how often they are opened by the user, etc.):

→‘.txt .jpg .jpe .gif .png .jpeg .avi .pdf .mp3 .mp4 .ppt .pptx .xls .xlsx .QBB .QBW .QDB .doc .docx .docm .zip .rar .7z .wps .php .ssh .key .psd .tc .dwg .wpd .rtf .raw .pst .wmv .mpeg .mpg .mov .m4v .mkv .vhd .vmdk .vdi .vbox’

After it has selected its targets, this trojan then carefully encrypts them and puts a .LOCKED extension on them, making them inaccessible or ‘corrupt’.

After the user’s files have been ‘.LOCKED’, this Trojan then drops a ransom note in the following Windows directory:


This Trojan horse is also able to collect information about the machine’s type and other info and sent it over to the host’s domain.

Removing Trojan.Cryptolocker.AA from PC

To remove a trojan horse from the computer, you should have at least minimal experience in removing viruses. It is recommended first to back up all the data, both encrypted and non-encrypted that is of relevance to you on an external drive. Then, you should follow these instructions:

1. Start Your PC in Safe Mode to Remove Trojan.Cryptolocker.AA.

For Windows XP, Vista, 7 systems:

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.


For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.


3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.

4. Log on to your computer using your administrator account


While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

For Windows 8, 8.1 and 10 systems:
Step 1: Open the Start Menu
Windows-10-0 (1)
Step 2: Whilst holding down Shift button, click on Power and then click on Restart.
Step 3: After reboot, the aftermentioned menu will appear. From there you should choose Troubleshoot.
Step 4: You will see the Troubleshoot menu. From this menu you can choose Advanced Options.
Windows-10-2 (1)
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Windows-10-3 (1)
Step 6: Click on Restart.
Windows-10-5 (1)
Step 7: A menu will appear upon reboot. You should choose Safe Mode by pressing its corresponding number and the machine will restart.

2. Remove Trojan.Cryptolocker.AA automatically by downloading an advanced anti-malware program.

To clean your computer you should download an updated anti-malware program on a safe PC and then install it on the affected computer in offline mode. After that you should boot into safe mode and scan your computer to remove all Trojan.Cryptolocker.AA associated objects.

NOTE! Substantial notification about the Trojan.Cryptolocker.AA threat: Manual removal of Trojan.Cryptolocker.AA requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Restore .LOCKED Files

There are several ways to restore encrypted files, depending on the algorithm used by the ransomware. Since this trojan may be from the CryptoLocker family, it most likely employs RSA encryption algorithm.

One way is to use a decryption program for Windows. For more information, check this article.

Another way to decrypt your files is to find the key using software for Ubuntu, called Python and to decrypt it with the cado-nfs program. This is a bit tech-savvy and more costly but is worth a try. If you want to learn how to do it, click here.

IMPORTANT: Bear in mind that if the encryption is stronger (for example above 512 bit) your chances automatically dim down to almost impossible to decrypt. The decryption time may vary from few hours to days and even weeks and months to complete depending on the encryption’s strength.

How To Protect Yourself In the Future?

We have decided to include few friendly advises on protecting yourself from malware and in the future reduce cyber attacks drastically.

Tips to protect yourself from CryptoLocker Trojans

Follow these:

  • Make sure to use additional firewall protection. Downloading a second firewall (like ZoneAlarm(HLL) for example) is an excellent solution for any potential intrusions.
  • Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
  • Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
  • Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
  • Disable File Sharing – it is recommended if you need file sharing between your computer to make it password protect it to restrict the threat only to yourself if infected.
  • Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
  • If you see a service or a process that is external and not Windows critical and is being exploited by hackers (Like Flash Player) disable it until there is an update that fixes the exploit.
  • Make sure always to update the critical security patches for your software and OS.
  • Configure your mail server to block out and delete suspicious file attachment containing emails.
  • If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
  • Make sure to educate all of the users on the network never to open suspicious file attachments, show them examples.
  • Employ a virus-scanning extension in your browser that will scan all the downloaded files on your computer.
  • Turn off any non-needed wireless services, like Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
  • Employ a virus-scanning extension in your browser that will scan all the downloaded files on your computer.
  • Employ a powerful anti-malware solution to protect yourself from any future threats automatically.

Also, security engineers recommend that you back up your files immediately, preferably on an external memory carrier in order to be able to restore them. In order to protect yourself from Trojan.Cryptolocker.AA (For Windows Users) please follow these simple instructions:

For Windows 7 and earlier:

1-Click on Windows Start Menu
2-Type Backup And Restore
3-Open it and click on Set Up Backup
4-A window will appear asking you where to set up backup. You should have a flash drive or an external hard drive. Mark it by clicking on it with your mouse then click on Next.
5-On the next window, the system will ask you what do you want to backup. Choose the ‘Let Me Choose’ option and then click on Next.
6-Click on ‘Save settings and run backup’ on the next window in order to protect your files from possible attacks by Trojan.Cryptolocker.AA.

For Windows 8, 8.1 and 10:

1-Press Windows button + R
2-In the window type ‘filehistory’ and press Enter
3-A File History window will appear. Click on ‘Configure file history settings’
4-The configuration menu for File History will appear. Click on ‘Turn On’. After its on, click on Select Drive in order to select the backup drive. It is recommended to choose an external HDD, SSD or a USB stick whose memory capacity is corresponding to the size of the files you want to backup.
5-Select the drive then click on ‘Ok’ in order to set up file backup and protect yourself from Trojan.Cryptolocker.AA.

Enabling Windows Defense Feature:

1- Press Windows button + R keys.
2- A run windows should appear. In it type ‘sysdm.cpl’ and then click on Run.
3- A System Properties windows should appear. In it choose System Protection.
5- Click on Turn on system protection and select the size on the hard disk you want to utilize for system protection.
6- Click on Ok and you should see an indication in Protection settings that the protection from Trojan.Cryptolocker.AA is on.
Restoring a file via Windows Defense feature:
1-Right-click on the encrypted file, then choose Properties.
2-Click on the Previous Versions tab and then mark the last version of the file.
3-Click on Apply and Ok and the file encrypted by Trojan.Cryptolocker.AA should be restored.


Spy Hunter FREE scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the malware tool. Find Out More About SpyHunter Anti-Malware Tool


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share