Crypt0L0cker ransomware removal instruction and ways to restore the encrypted files

So, what do we have: Crypt0L0cker is a ransomvare that tries to scare everyone with its well-known name. In fact, this virus is a new version TorrentLocker ransomware, with the name change and some new functions. Crypt0L0cker has several features that distinguish it from other similar viruses. Firstly, it can remove the Shadow Volume Copies, which means you can’t use them to restore the files. Removal of copies is written in the algorithm of the virus, and it will continue to try to do it over and over again. You will see the message, stating that Windows need to make changes, and if you confirm it – you’ll deprive yourself of the opportunity to restore the files in this way. Secondly - (it is good news for residents of the United States) this virus for some reasons is geo-locked, and infects only computers in Europe, Asia and Australia. We still don’t know exactly, which encryption algorithm it uses, but most likely it's AES or RSA. Files encrypted with them are not subject to cracking, and try to decipher them simply makes no sense. The virus affects not only text files and images but also videos. Here is the complete list of extensions: avi, wav, mp3, gif, ico, png, bmp, txt, html, inf, manifest, chm, ini, tmp, log, url, lnk, cmd, bat, scr, msi, sys, dll, exe. For now, the amount of fee is 2.2 Bitcoin.


Crypt0L0cker encryptor

How Crypt0L0cker Virus works

Except the features, described above, Crypt0L0cker has other unusual abilities. Its distribution is going through infected websites, free software bundles and viral e-mail attachments. The messages are designed in “police” style, and they state, that you’ve violated some law, or visited some restricted website. The virus sets the autorun function by inserting a file in the Startup folder, and the registry. If your computer is infected with a Crypt0L0cker virus and you do not want to pay money to hackers - you have several options:


  • Upload backups. If you have a valid copy of the encrypted information, you can use it, but before that you need to completely clean your computer from virus.
  • Try to restore the files from the Shadow Volume Copies. This type of virus is trying to remove shadow copies, but if you do not confirm the change of Windows settings, then you can do it. Before this operation you also need to remove the virus.
  • Forget about your files, clean your computer and take protective measures to guard your PC in future.


As you can see, in any case you will need to deal with the virus first. We will tell you how to do this in the fastest and safest way.

How to remove Crypt0L0cker Virus from the computer

Removing the virus, such as Crypt0L0cker is not a task for beginners. During its work, the virus creates copies of itself in different folders, to prevent the removal and to withstand anti-virus programs. Even if you are an experienced professional, you might not handle it. If you know a little about computers and computer viruses - you'd better not even try to remove Crypt0L0cker manually. We suggest you Reimage Repair antivirus program, which will remove Crypt0L0cker from your PC quickly and safely, along with all additional files. The main advantage of Reimage is that it removes the virus for several minutes, and after removal, your computer will be protected from other viruses. In the case of manual removal – you’ll have to do it all over again. If you do decide to perform a manual removal - we advise you to follow all the instructions exactly. If you have any difficulty - just write a comment on this article, and we will help you. If you choose the quick and safe disposal - just click here to download Spyhunter and remove virus automatically

Step 1. Boot the system in the safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

Alternative way how to boot computer in the safe mode:


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drivers

Show hidden files. Step 3


  • Press Ok

Step 3. Remove Crypt0L0cker files

Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%

Step 4. Clean registry

  • Click Start
  • Type Regedit.exe and press Enter
  • Press Ctrl+F and search for "Crypt0L0cker"
  • Delete items found

How to decrypt your files

How to decrypt files? Let's say right away, it will not be easy. If you don’t have backups of your files, then you have two ways: to restore the files from the shadow volume copies, or use one of specialized programs for decryption. The first method can be carried out with the help of programs such as Recuva and ShadowExplorer. These programs will help you gain access to shadow copies of files and restore files. This method can’t guarantee you 100% success because Crypt0L0cker attempts to delete shadow copies during its work. Fortunately, Windows is not configured to do it quietly, and the user receives a message stating that a program is trying to change the system settings. If you saw this window and pressed "OK", then we have bad news for you: you will not be able to use shadow copies, because the virus deleted them.

In such case, it would be better to use one of the licensed decrypting programs. Do not try to use first got “wonderful” program, developed by unknown guys, and distributed via suspicious website. Viruses are often hiding under the guise of such programs. Use only the products of proven, trusted developers, and download them from the official websites. An excellent example of such a program is Kaspersky Ransomware Decryptor.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Video instruction





Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience