CTB-Faker Ransomware Removal Guide

Do you know what CTB-Faker Ransomware is?

If you are introduced to an intimidating message suggesting that your personal files were encrypted by CTB-Locker, be cautious. CTB-Faker Ransomware is a new infection that uses the name of another infamous threat, CTB-Locker Ransomware, to confuse users. You can use image search to see how the real infection looks like, and you will be able to see whether or not you are dealing with the fake copycat. Of course, it is just as malicious as the infection it mimics, and your personal files will be in jeopardy if it attacks. Notably, this threat does not actually work like most ransomware infections because it does not use encryption algorithms. Instead, this threat locks you files in one archive. Unfortunately, this does not make this threat any less complicated. In fact, many users might be unable to unlock their files. Keep reading to learn more and find out how to remove CTB-Faker Ransomware.CTB-Faker Ransomware Removal GuideCTB-Faker Ransomware screenshot
Scroll down for full removal instructions

How did CTB-Faker Ransomware attack your operating system? According to the latest research, this infection is spread via fake profiles found on the sites representing adult content. Fictitious profiles are set up to display corrupted links that represent ZIP files. A malicious executable is included in the archive, and this is where the infection lies. If the .exe file is run, the malicious CTB-Faker Ransomware is unleashed. This threat immediately scans your User folder to check for files with different extensions, including .avi, .exe, .jpg, .mp3, .mp4, .rar, and .zip. The files with these extensions are moved to a ZIP archive that is protected with a password, and this is how your personal files are locked. Because not all users use file archiver software, the ransomware downloads files necessary for moving data. These files are most likely to be found in the %ALLUSERSPROFILE% (%ALLUSERSPROFILE%\Application Data on Windows XP) directory, where they do not belong. If you find these files here, you can delete them.

Once the files are locked, CTB-Faker Ransomware creates a TXT file called “your personal files are encrypted.txt”. The message in this file is the same as the one you will see via a pop-up window that mimics the notification of CTB-Locker. This window is launched from a file called help.exe. The message of the ransomware informs that SHA and RSA encryption algorithms were used for the encryption of your files, but that is a lie. According to the message, you have 7 days to pay the ransom of $50 to the provided Bitcoin address. You might also see an email address (e.g., miley@openmailbox.org), and we do not recommend contacting it because any communication with cyber criminals can lead to more problems. Even paying the ransom is not something we recommend doing, because it is possible that a password to the archive holding your files hostage would not be provided to you.

Zip Password Recovery is one of the tools that you can try using to crack the password on the archive created by CTB-Faker Ransomware. Hopefully, you will find a tool that will work for you. If that does not happen, look for a friend or a professional who might help you first before giving up. Eventually, you need to delete CTB-Faker Ransomware from your operating system, and you can do it manually or using an automated malware remover. The latter option is more beneficial as it can ensure the removal of all threats (note that other infections could be active on your PC) and enable full-time protection that you obviously need. If you choose the manual route, do not forget to install security software sooner rather than later because malicious infections will slither in at the first chance they get.

Remove CTB-Faker Ransomware

  1. Launch Explorer (tap Win+E keys on the keyboard simultaneously).
  2. Enter %ALLUSERSPROFILE% (%ALLUSERSPROFILE%\Application Data\ on Windows XP) into the bar.
  3. Right-click and Delete these malicious .exe files (the names might be different):
    • help.exe
    • restore.exe
    • startup.exe
  4. Now enter %SystemDrive% into the bar at the top.
  5. Right-click and Delete the file called your personal files are encrypted.txt.
  6. Right-click and Delete the ZIP archive that held your files hostage (delete the archive ONLY if you have unlocked the archive and extracted your personal files to a different folder).
  7. Launch RUN (tap Win+R keys on the keyboard simultaneously).
  8. Enter regedit.exe into the Open box to launch the Registry Editor utility.
  9. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
  10. Right-click and Delete the value named help.exe (value data: REG_SZ C:\ProgramData\help.exe).

In non-techie terms:

Although CTB-Faker Ransomware is just a copycat of a well-known dangerous ransomware, CTB-Locker, you should not underestimate it. This devious threat can lock your personal files, including executables, in a password-protected archive. It is possible that this password will be provided to you if you follow the instructions and pay the ransom requested; however, our research team recommends looking at legitimate password recovery tools for ZIP archives. After all, your money could go to waste, and you do not want to take that risk. When the time to remove CTB-Faker Ransomware comes, we suggest employing anti-malware software, but you should be able to eliminate this threat manually as well. The main reason why we suggest relying on anti-malware software is the full-time protection provided to you after your PC gets clean, and reliable protection is very important.