Ransomware is malware that limits access to data on devices and demands a ransom be paid to the developer. Some forms of ransomware encrypt files on the systems hard drive, while some simply lock the system and display messages intended to persuade the user into paying.
In the past week there have been several cases of ransomware called CTB-Locker also known as Critroni Ransom. Generally spread via e-mail as an attachment; CTB-locker is released from time to time with the most recent cases occurring 18/19/20 January 2015.
CTB locker is run by a user. The application encrypts common file-types such as Excel and Word documents and images files such as Jpegs. The user then receives a display message stating that the data has been encrypted and that they need to pay a ransom.
It is not likely that the encrypted files are recoverable, in some cases users may be able to use Volume Shadow Copy, but essentially the most effective means of “recovery” is to back-up data/files on a regular basis and restore the most recent back-up.
CTB Locker doesn´t always remove the volume shadow copy (VSS), so depending on the affected operating system, if it is Windows Vista or higher, it is possible to retrieve a copy of the files affected by malware.
In this case, it is necessary to follow the steps below:
- Download and install the following software: http://www.shadowexplorer.com/downloads.html
- Once installed, browse to the location where the affected files are located
- Select a date prior to the infection.
- Select the affected file or folder, and choose the option “Export”.