Crypto Locker Virus Can Encrypt Your Files, How To Recover Your Files


Beware the Crypto Locker Cryptovirus, It Can Encrypt All Your Data and Lock You Out of Your Computer


The dreaded Crypto Locker cryptovirus is a ransomware that you will want to try to avoid at all costs; it encrypts your data and requires that you pay a ransom. This ransom is usually for $300 via MoneyPak or Bitcoins, and must be paid to the cybercriminals before receiving a key to decrypt the data files. Discovered exclusively by Kaspersky, the Trojan family was said to have been circulating across its country of origin, Russia, from the early months of this year.



The Crypto Locker ransomware is estimated to have targeted nearly 1 million computers in the past month and it can be particularly devastating because the hackers have created encryption algorithms that encrypt your files when you remove the virus.  There are other variations of this malware that display fake warnings and do not properly encrypt the data files, but the Crypto Locker is the real thing. The victim is forced to pay the malware creator a sum of money to receive a key to unlock the data.  The obvious way to avoid a situation like this is to always have a back up of your important data. However a few of us live dangerously and risk the possibility of data loss with no back up.



Data Protection



The Crypto Locker can potentially render all your personal and business files inaccessible as a result of the cryptographic algorithms engineered by the hackers. Fortunately as of right now this malware does not currently target Macs. However, another dangerous aspect of this particular variant is that it can move between user accounts and in mapped drive environments. When this malware attacks it has a real timer ticking towards the demise of your data and you will have only three options:

  • Pay the ransom in hopes that the hackers will start to decrypt your data (this option is not recommended)
  • Restore your files from a backup (if you have one)
  • Use Volume Shadow Copy or System Restore in Windows 7 & Vista With ShadowExplorer



This variety of ransomware typically spreads through malicious email attachments and downloads from infected web sites disguised as software updates or pop up advertisements. Upon opening one of these infected email attachments or if you accidentally download it from a malicious website, this virus will immediately start encrypting all of your files and you will see a message pop up such as this one:

“Your personal files have been encrypted and you have 95 hours to pay us $300.”



Computer Virus Protection


This type of ransomware is not a new occurrence and there have been different forms of this kind of malware in circulation since 1989. Recently however Internet security companies report that there is a sharp increase in the number of computers affected by this cryptovirus, with businesses and companies being targeted as often as individual users. [1]  There are many ways this malicious software can infiltrate your computer system, one version comes hidden in an email attachment that warns of a customer complaint, another variety will attach the virus to an email with an official sounding subject such as: “Authorization to Sue Privately Owned Vehicle on State Business”, that supposedly came from a well known enterprise such as Xerox.



Email Virus

The reports are grim if you have contracted Crypto Locker, even if you have a back up of your files. If your data storage device was connected to your computer during the time of infection you may not be able to recover the files on it. Similarly, since Crypto Locker can move through a mapped drive network, all the files in a shared network stored on separate physical drives connected at the time of the attack can also become encrypted and inaccessible.



angry at computer virus


Additionally, while the Crypto Locker encryption will not longer allow you to open, read or view your files, anyone with the decryption key can easily access your data. This means the hackers can potentially have access to all of your passwords and personal information, including your photos and videos. Currently there is no evidence of these encrypted files being uploaded or sold for this purpose but it is definitely possible.


Most antivirus programs can detect this ransomware trojan but they cannot recover the encrypted files. Symantec reports that about 3% of people who get this cryptovirus pay the hackers in hopes of getting their data back.[2] But this is not a good idea, there are no guarantees they will send you the key to decrypt your data, and it is possible they may try to extort you again.



decryption key for cryptolocker

The users that have reported to paying the ransom to decrypt the files say it actually does work. The process may take up to 48 hours or more to complete the decryption but for now you will get your data back. If you plan on paying the ransom, be careful to type the code correctly because entering an incorrect payment code will decrease the amount of time you have available to decrypt your files. If the code is entered without any problems, the decryption will start.


There is one possible way to recover the encrypted files if you have been infected with this malware.  This method is not a guaranteed fix to recover your encrypted files but it may be possible to get some of your data back.  You can use Volume Shadow Copy in Windows 7 and Vista to recover the snapshots this service creates of your data.



Shadow Volume Copy is part of the OS for Vista and Windows 7 and it is the back-end of the System Restore feature, which can restore your system files to a previous state in case of a system failure such as when a driver fails or software installation goes awry. Right, so everyone already knows about System Restore.


But…Volume Shadow Copy on the other hand actually keeps snapshots of entire volumes. The default setting is to take and store snapshots your system volume (C:) and protect all the data on that volume, including your system files, program files, user settings, documents, photos, music etc.[3]


happy computer

[1] Ferguson, D. (2013, October 18) CryptoLocker Attacks That Hold Your Computer to Ransom. Retrieved October 19, 2013, from
[2] Ferguson, D. (2013, October 18) CryptoLocker Attacks That Hold Your Computer to Ransom. Retrieved October 19, 2013, from
[3] Szynalski, T. (2009, November 23) What you should know about Volume Shadow Copy/System Restore in Windows 7 & Vista (FAQ). Retrieved October 28, 2013, from