CryLocker Ransomware Removal Guide

Do you know what CryLocker Ransomware is?

It is very easy for CryLocker Ransomware to attack unguarded operating systems. This threat can use exploit kits to slither in, or it can even be downloaded by pre-existing Trojans. It is very dangerous to have your operating system infected with this malware because it goes straight after your personal files. According to the research conducted in our internal lab, this ransomware can target a bunch of different types of files, including .flv, .mp3, .pdf, .rar, .txt, .vbs, and .zip files. Once these files are encrypted – which, by the way, happens 15-30 minutes after the execution of the threat – additional files are created to provide you with more information. The purpose of this information is to make you visit a website that shows how to pay a ransom, which, supposedly, is the key to the decryption of your personal files. Users who find their extremely important and valuable files encrypted often jump to the payment, but you should not make any abrupt decisions. Even when deleting CryLocker Ransomware.

Besides the encryption of your precious files, CryLocker Ransomware is also capable of initiating other malicious processes. For example, it uses the "vssadmin delete shadows /all /quiet" command to remove Shadow Volume Copies. If the ransomware succeeds at that, you will not get your files back even if you have set up a restore point. Additionally, the infection can check your keyboard layout by calling the Windows API named "GetKeyboardLayoutList", and it attempts to record your geographical location via the Google Maps Geolocation API. It is important for CryLocker Ransomware to know your location and the language used on your PC to stop the encryption of the files in case you live in Belarus, Russia, Ukraine, Uzbekistan, or Kazakhstan. Based on this information, we believe that the ransomware was created in this region, and its creators do not want to spread their infection here. Keep in mind that even though the ransomware is not going to encrypt your files if you live in the area, its files could be downloaded, and it is important for you to remove them.CryLocker Ransomware Removal GuideCryLocker Ransomware screenshot
Scroll down for full removal instructions

According to our research, CryLocker Ransomware creates four additional files after it is done encrypting your files and adding the ".cry" extension to them. The main file is an executable that is placed in the %TEMP% or %ALLUSERSPROFILE% folders. If the .exe file is placed under %TEMP%, its name will be completely random, but if it is placed under %ALLUSERSPROFILE%, its name will contain 8 random characters. This malicious executable file is responsible for the creation of !Recovery_[6 random characters].html, !Recovery_[6 random characters].txt (both on Desktop), and [8 random characters].html (in %TEMP%). All of these files represent the demands of cyber criminals, and they push you to visit a ransom payment website. The fourth file – which is called [8 random characters].lnk – is a shortcut file that corresponds to the HTML file in %TEMP%, and it is meant to launch it upon startup. This file is located in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. These are the files that you will need to eliminate along with the executable to remove CryLocker Ransomware.

The removal of CryLocker Ransomware is easy. If you are more experienced, you can follow the instructions below. If you are not experienced, you can trust a legitimate malware remover to eliminate every single malicious component automatically. But what about your files? Unfortunately, you might lose them if you are not willing to take your chances and pay the ransom. Considering that you might invest in something that is not going to be given to you, we cannot recommend paying the ransom requested by the creator of the malicious ransomware. Unfortunately, third-party decryptors capable of decrypting your files corrupted by this particular infection do not exist. Obviously, your options are very limited. In reality, the only way you can recover your files without paying the ransom is if you have them backed up.

Delete CryLocker Ransomware

  1. Simultaneously tap Win+E key to access Explorer.
  2. Type %TEMP% into the address bar and tap Enter.
  3. Right-click and Delete the malicious [random name].exe file. Note that this file might also be located in the %ALLUSERSPROFILE% directory.
  4. Right-click and Delete the malicious [8 random characters].html file (still in %TEMP%).
  5. Type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or %ALLUSERSPROFILE%\Start Menu\Programs\Startup (for Windows XP) into the address bar and tap Enter.
  6. Right-click and Delete the malicious [8 random characters].lnk file.
  7. Right-click and Delete these files located on the Desktop:
    • !Recovery_[6 random characters].html
    • !Recovery_[6 random characters].txt

In non-techie terms:

The devious CryLocker Ransomware can slither in and corrupt your files without any warning. Although you might have the window of 15-30 minutes to delete this threat before it commences its malicious processes, it is unlikely that you will know about the threat at all. Once it encrypts the files, the only way to decrypt them is using a private key that only the devious cyber criminals can provide you with. Will they give it to you when you pay the ransom? Although they should, if you trust their promises, no one can guarantee this, and our experience warns us to be cautious. Once you get around removing this ransomware, either downloading an automated malware remover – which we recommend if other threats, such as Trojans, are active – or eliminate the components of this malicious infection manually using the guide above.