CTB-Locker ransomware removal instruction and ways to restore the encrypted files

CTB-Locker is an ordinary ransomware. Any virus, which tries to get some money from you, can be attributed to the ransomware species. Such viruses are, mostly, not very dangerous: they are trying to block a browser, or to block all operations on the PC by placing a large active banner on the desktop. These versions are easily curable, but the version with encryption is the worst one. CTB-locker can be removed from your PC through few steps, but the encrypted files will remain unusable, and you will have to deal with it. We know what to do, and how you can get your data back without paying a ransom. Keep on reading, and you will learn about CTB-Locker and its removal.


CTB-Locker encryptor

How CTB-Locker Virus works

CTB-Locker, as the other ransomware, penetrates user’s PC through usual ways, as all other viruses do. It comes with emails, crawls into the system after you download some program from suspicious website, and gets installed with other programs. But, unlike other viruses, such ransomware is really stealthy. This is so because the majority of viruses don’t have the precise goals. They show you ads, and they keep showing more and more until you delete the virus. Or, they slow your PC down and advise you to buy a removal tool. Their goals are stretched in time, and ransomware knows exactly what it must do. It gets installed and doesn’t show itself, until the files will be encrypted. You won’t see any windows, banners or ads during the encryption. The only sign of an unwanted process is some slowdown of PC speed. If you noticed such slowdown, and there’s no other reasons for it (like powerful programs, currently launched) – check the Task Manager for suspicious processes, and shut them down. If the process of encryption went unnoticed, you will soon receive a message with demand of ransom. The typical message looks like this: “All files on your PC were encrypted by powerful cipher, and if you want us to decrypt them – pay a ransom”. The amount of money is usually between 500 and 1000$.

How to remove CTB-Locker Virus from the computer

Firstly, you should not confuse the virus deletion with the decryption of files. These two processes are completely different and aren’t linked in any way. The deletion is required, but if you decide to pay the ransom – don’t remove the virus, until scammers will restore your data, because without a working virus you won’t get a cypher key. If you don’t want to pay, just remove the virus, following the instructions below, or purchase a worthy anti-virus, which will do it for you. We can advise you the tool that will easily delete CTB-Locker and all files, attached to it. And the most important thing: anti-virus won’t let any virus to install on your PC again! It is much easier to prevent the malware to install than cope with the consequences of infection. The reputable tool that we advise is called Spyhunter. It was developed by Enigma software, and has hundreds of thousand users all over the world. Click here to download Spyhunter and remove virus automatically

Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

Alternative way how to boot computer into safe mode:


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok

Step 3. Remove CTB-Locker files

Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%

Step 4. Clean registry

  • Click Start
  • Type Regedit.exe and press Enter
  • Press Ctrl+F and search for "CTB-Locker"
  • Delete items found

How to decrypt your files

The decryption of your data is the most important matter in this story, and the answer is really simple. There is only one 100% efficient way to restore your data: to load a backup. Just load a previously saved copy of the whole system, and all files will be on their places. But remember, that the encryption could last even for 2-3 days, so count 3 days from the time, when you received a message, and load the earlier checkpoint. If you don’t have a checkpoint, the chances to restore your data without payment are really low, but there’s another way. During the encryption, CTB-Locker creates new encrypted files, and deletes the original ones. It means that you could restore them from shadow copies, with help of such tools as ShadowExplorer and Recuva. Full guides about these tools is available on their official websites, and a guide about the load of backup is written below.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Video instruction





Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience