CTB-Faker Ransomware

What is CTB-Faker Ransomware?

The tests conducted in the Anti-Spyware-101.com internal lab have revealed that CTB-Faker Ransomware can take on the skin of other infamous ransomware infections. The most common version of this devious threat uses the name of the malicious CTB-Locker Ransomware, and it can introduce you to a pop-up window that clearly mimics the one used by CTB-Locker. It is most likely that the devious ransomware uses this trick to camouflage itself and make users research the wrong infection, which, ultimately, should stop them from removing it timely or taking necessary action. Hopefully, you will not be fooled and confused about this infection. One thing that should be said right away is that this ransomware does not encrypt files as stated via the misleading pop-up window. Unfortunately, that does not mean that your files are not at risk or that you do not need to delete CTB-Faker Ransomware. Continue reading.

How does CTB-Faker Ransomware work?

CTB-Faker Ransomware has a very unique way of spreading. This infection is launched from an .exe file that is placed in a ZIP archive that is downloaded onto your computer when you click a link on a malicious profile created on some adult website. Confusing? This threat cannot launch itself, and you actually need to extract and run the malicious .exe file for it to be launched. Needless to say, you would not launch a malicious file knowing it was associated with a dangerous infection. Therefore, it is camouflaged as some kind of attraction (e.g., free video of adult content). Once launched, this threat can download legitimate archive extractors to ensure that it can initiate malicious activity. The attack starts with a scan of your C:\Users folder for certain types of files representing videos, photos, archives, audio files, etc. Then, CTB-Faker Ransomware slowly moves these files into a password-protected archive (our tests have shown the archive to be placed in the %SystemDrive% directory). Unfortunately, the files are not copied, but moved, which means that the devious ransomware takes them hostage. Notably, this process is quite lengthy and resource consuming, which means that you might notice it.

Once CTB-Faker Ransomware is done locking down your files, it introduces a pop-up with an intimidating message. It also creates a file called “your personal files are encrypted.txt”. Both of these messages represent the demands of cyber criminals who claim that you will get the password to the archive only if you pay the ransom demanded, which, at the moment is 50 USD. According to this message, you need to pay the ransom using Bitcoins and then send an email to the provided address with the transaction ID to confirm the payment. A disclaimer is also attached warning you that any attempts to remove CTB-Faker Ransomware will result in the loss of files, which, we are sure, discourages a lot of victims from looking for an alternative recourse. While it is possible that you will get your files back by paying the ransom, there is no assurance, and some victims of ransomware infections report that the files are kept hostage regardless of the successful payments. What is more, you might be able to recover your files in other ways, so do not rush with the payment. Our research team encourages using zip password recovery tools first. We do not claim that any of them will work, but it is worth trying. Using the help of more experienced friends might offer resolution as well.

How to delete CTB-Faker Ransomware

Hopefully, you manage to recover your files without paying the ransom that is requested from you. If you do not, and you are not planning on paying the ransom, you should keep the password-protected archive just in case you find a solution later. Of course, removing CTB-Faker Ransomware is important, and we urge you to get rid of this infection as soon as possible. As you will see by analyzing the manual removal guide below, it is easy to erase this ransomware manually. However, you also need to consider the existence of other threats and further protection of your operating system. Anti-malware software can offer you solutions to all virtual security-related problems, including the elimination of the ransomware, the clearing of the operating system, and, of course, its protection. Even if you choose to delete the threat using the guide below, you should implement reliable security software ASAP.

Removal Instructions

1. Launch RUN by tapping Win+R keys at the same time.
2. Enter regedit.exe into the dialog box to open Registry Editor.
3. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
4. Delete the value named help.exe with value data pointing to C:\ProgramData\help.exe.
5. Launch Explorer by tapping Win+E keys at the same time.
6. Enter %SystemDrive% into the bar at the top of the window.
7. Delete the file called your personal files are encrypted.txt.
8. Enter %ALLUSERSPROFILE% into the bar at the top (if you are operating from Windows XP, you will need to enter %ALLUSERSPROFILE%\Application Data\).
9. Delete these files: help.exe, startup.exe, and restore.exe.

Download Removal Tool100% FREE spyware scan and
tested removal of CTB-Faker Ransomware*