CTB Locker ransomware virus. What is CTB Locker or Critroni?

CTB Locker ransomware virus known as Critroni, released in mid july 2014 and renewed at the beginning of 2015 is encrypting ransomware that thetans all versions of Windows. After attack, this virus ask a demand of 3BTC (bitcoin) equivalent to about 600$, 700$ depending on bitcoin value to recover access back to their files. CBT Locker will provide victims “free decryption” service, payment time limit up to 96 hours and option that allows different language of the ransom message which are Dutch, German, Italian and English. Called “Test Decryption” CBT Locker virus will allows victims to select five different files for a free decryption convincing users that this is not fake. Just like any other file encrypting malware, CTB Locker continues to use CryptoLocker developed by a different group.

Anti exploit tool blocks this attack successfully:

CTB Locker

Once infected with the CTB Locker, the malware virus will hide itself in the %Temp% behind random named folder and change every time you reboot your computer. It then creates a hidden Task Schedule that triggers the malware every time you login. It will than scan victims storage devices for data files and and encrypt them. Unfortunately, before CTB Locker show its notification massages about encrypted files, the virus can not be noticed. Furthermore, wallpaper to will change substituting original desktop background with %MyDocuments%\AllFilesAreLocked <userid>.bmp file, with more instructiosn on how to pay the ransom. Victims of CTB Locker will also notice the appearance of %MyDocuments%\DecryptAllFiles<user_id>.txt and %MyDocuments%\<random>.html with step by step guide of how to pay the ransom and how to access the malware’s site. Cyber criminals are very good of leaving no trace and it no different with the authors of CTB Locker. Rather than being online this virus communicate with its Command & Control Server directly via TOR, which makes it more difficult to be located.

Infected with CTB Locker or Critroni, the virus will encrypt your data or files and then rename them adding the file extension to .CTBL or .CTB2 for the old older versions. However ransomware viruses are coming back with new and different extension such as .ftelhdd or .ztswgmc. According to many there is no way to decrypt such files unless paying the ransom. If you somehow discover the appearance of CTB Locker ransomware virus immediately scan your computer useing any type of anti-malware software to remove the virus.

As mentioned above CBT Locker will provide victims with “free decryption” service called “Test Decryption”. This will allow victims to select five different files for a free decryption, demonstrating that the developers of the malware can and will restore your files. This service you can use for your most precious files.


Typical for ransomware infection is the limit of time provided. CTB Locker virus time limit is up to 96 hours to pay the ransom or lose files forever. This really puts very high stress level for victims a lot of pressure especially for those who are not familiar with bitcoin and low computer skills. However users can still pay the ransom through their TOR site. When the timers over the program will be closed and virus removed. To access the CTB Locker decryption site you have to you have to follow the rules into DecryptAllFiles.txt file.


CTB Locker attack Websites

In beginning of 2016 was the CTB Locker new released variant that threatened to encrypts websites. Behind the name “CTB Locker for websites” hackers replaces the site’s sitemap_index.php with a malicious substitute, which encrypts the sites data using AES-256 encryption algorithm and demand 0.4BTC to get decryption key. It will also change the homepage with one that contains information of current situation and how to perform a ransom payment.

  • Name – CTB Locker Malware
  • Type Spamming – Malware, Ransomware, Trojan Horse
  • Danger Level – High
  • Brief Description – Encrypt files and demand ransom.
  • Symptoms – Poor pc performance or freezing, ransom massages.
  • Method – Via Trojan Horse or spam email.

Now that you have been infected you have a few options:

Many suggest that you simply pay and hope that you will get all off your data back. However in this case you risk losing money and still being stuck with crypted files. We do not recommend this way simply because you will support the work of hackers and the more money thay get the stronger they will become.

The best option for you is if you have a backup, wipe your hard drive and perform system restore.

Use any type of anti malware software to remove CTB Locker virus.

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.

New research discovery shows how ransomware deletes files and substitute encrypted copy of them. It is not guaranteed, but it is a possibility that you may recover your files with data recovery software. Before trying to decrypt any files you can scan your computer for posible data loss.

Go here to find out how to recover deleted files.

How to remove “CTB Locker ransomware virus”

Short guide:

  1. Login as administrator.
  2. Go to control panel and uninstall any suspicious software.
  3. Use any type of anti malware software to remove CTB Locker virus.
  4. Decrypt CTB Locker files.
  5. Delete all temporary files from disk cleanup.
  6. Restart your computer.

Note: Removing CTB Locker ransomware virus manually could be very risky and unpredictable!

Step by step how to remove “CTB Locker virus”

Manual steps to remove ransomware or malware. How to prevent ransomware or malware.

For now, removing ransomware or malware manually will only be able for IT specialists. If you don't know one don't worry. We have a solution for you. Over here we will use Spyhunter to remove the virus. The Spyhunter anti-malware is a collection of programs that can be used to scan for malware and clean infected computers. You can also use full anti-malware program in this case which is the better option because it also offers protection.

How to remove "ransomware or malware"

NOTE: In this option the virus will be removed but the files will remain locked! You have to decrypt your files.
  1. Download Spyhunter anti-malware.
  1. 2.  After program has been downloaded, double-click to open it. User will have to install the program. Click on Spyhunter.exe to start the process.
User Account Control dialog may appear, asking you to allow the following program to make changes to this computer. Click "Yes" or "Run" to proceed with the installation. User can also choose variety of languages. Click Ok and the installation will begin with a welcome massage for Spyhunter. Click Next to continue to the next step. User will also have to accept Spyhunter license agreement by clicking on "I accept the agreement" and click Next. Spyhunter will ask user to read important information provided before continuing. Once done click on next to go to the next step. User can choose where to install the program. By default - C:Program FilesEnigma Software GroupSpyHunter. The process will continue and then Spyhunter will install. The installation process may take awhile, depending on a computer system performance. Once the installation is done, click Finish.
  1. 3. Update the software before scanning. Once program has been updated go to scan. You can choose from a free trial version or activate license. It is recommended to buy full version as the trial will not protect computer system.
  1. 4. The scan process will begin. The scan process may take awhile, depending on a computer system performance.
  1. 5. Once the scan is complete you can choose between delete or quarantine the viruses. The quarantine option is recommended and since the malware is active a reboot will be required to finish process.

Click here for guide of how to uninstall spyhunter.

Decrypt ransomware files.

Good news is that we can now use decryption programs. A lot of security companies like Kasperky lab, bitdefender and more has developed a program that is fully capable of decryption key for ransomware malware. You can find this programs anywhere on the internet but it is strongly suggested to download this programs from official websites. NOTE: It may take a long time for your files to be decrypted depending on your PC performance.