Crypt.locker Ransomware

Crypt.locker Ransomware may look like a powerful stand-alone infection, but our researchers say that it is one of the many versions of the Jigsaw Ransomware infection. Therefore, there will be specific features common to all the variants. For example, it is obvious that this program enters your system to rip you off. It holds your files hostage and demands that you pay a ransom fee to restore your data. However, you should never even consider paying the ransom because this way you would only allow the cyber criminals to win. Remove Crypt.locker Ransomware from your computer, and then protect your system from similar infections with a powerful antispyware tool.

A thorough inquiry into this infection has shown that the program uses exactly the same methods that were applied by the original Jigsaw Ransomware. The only thing that makes them different is the ransom note and the encryption extension used by the application. So with that, we can take a look back at the original infection that was first detected in April, this year. Perhaps the feature that deserves an honorary mention is the program’s ability to delete a number of encrypted files every single hour, as long as the ransom fee is not transferred to its headquarters. Thus, you can expect similar behavior from Crypt.locker Ransomware, too.

It would seem that this program also has a particular target audience in mind because it comes in two versions: German and English. So while the English version clearly targets users internationally, the German version is intended for the users in German-speaking countries. It would not be surprising to find computers infected with this ransomware in Germany, Austria or Switzerland. However, it is obvious that malware does not recognize national borders, and if you happen to encounter the distribution medium, you might get infected with this ransomware, too.

Ransomware programs often employ several distribution methods, and the most common one is spam email attachments. That is, the ransomware installer file masquerades as some ordinary document file that comes with an official email message. Users are tricked into downloading and opening this file, and then the infection takes place.

Once Crypt.locker Ransomware is there on your computer, it creates two identical files. The program launches one of the files immediately. The other file remains idle, but the infection creates a Run registry key for it. In our case, the drpbx.exe file in the %LOCALAPPDATA% directory was launched right after the infection, while the firefox.exe file in the %APPDATA% directory had a Point of Execution Run registry key created for it. Please take note, however, that these files often have random names, and the filenames may differ from computer to computer.

According to our researchers, these types of files are common to Jigsaw Ransomware and all of its variants, so it is no surprise that Crypt.locker Ransomware has them too. Also, judging from our observations, it is possible to assume that newly released versions of this infection will continue dropping fake Firefox and Dropbox files into target computers.

Once the file encryption is complete, the program adds the “.epic” extension to all the affected files. It is not recommended to restart your computer after the infection because Crypt.locker Ransomware can delete files at random, so you may lose some of your files of you do that. Luckily, there is a decryption tool that can decrypt most of the Jigsaw Ransomware variants, so you should not even consider paying the ransom fee.

As far as the fee is concerned, the German version of Crypt.locker Ransomware requires users to pay 3000EUR for the decryption, while the English version asks for $5000USD. Needless to say, you should never spend so much money on ransomware. Simply remove the infection, and then restore your files with the publicly available decryption tool, which you can find at computer security websites.

We will also provide the manual removal instructions for this infection, so you can delete everything associated with Crypt.locker Ransomware yourself. However, if you think that manual removal is too much of a challenge for you, it would be for the best to employ a legitimate security application that will delete the program for you automatically. Of course, this way, you would also be able to look out for other potential threats that might be installed on your PC.

How to Remove Crypt.locker Ransomware

1. Press Ctrl+Shift+Esc and the Task Manager will open.
2. Open the Processes tab and end firefox.exe or drpbx.exe processes.
3. Press Win+R and type %APPDATA%. Click OK.
4. Delete the Frfx folder and all of its contents. Press Win+R again.
5. Type %LOCALAPPDATA% into the Open box and press OK.
6. Delete the Drpbx folder from the directory.
7. Press Win+R and type regedit. Click OK.
8. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
9. Delete the entry titled firefox.exe and exit Registry Editor.