CTB-Faker Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 1126
Category: Trojans

CTB-Faker Ransomware is the name of a new infection that is an attempt to imitate the infamous CTB-Locker Ransomware. Hence the name “Faker.” We have tested this infection and have come to the conclusion that it is dangerous, and you must remove it as soon as possible. There are many things that are going on with this infection, and we are going to provide you with the most relevant information about it in this short article. We will cover distribution methods, peculiarities regarding its features, and more.

When your computer becomes infected with CTB-Faker Ransomware, it does not scan your entire computer but the C:\Users file path only. Unlike most ransomware, this particular infection is set to target only a handful of file formats that include .exe, .msi, .dll, .jpg, .jpeg, .bmp, .gif, .png, .psd, .mp3, .wav, .mp4, .avi, .zip, .rar, .iso, .7z, .cab, .dat, and .data. Therefore, it can be said that this ransomware is rather selective. As you can see from the list of encrypted file formats, this ransomware targets files that are most likely to contain valuable information for which you would be willing to pay a reasonable sum of money.

What sets this ransomware apart is the fact that it does not encrypt the targeted files. Instead, it moves them to a password protected ZIP archive. This is very unusual, but effective nonetheless. However, truth be told, this method of denying you access to your files is quite primitive and goes to show that the developers lack the necessary prowess to create a genuine ransomware. As stated in the introduction, CTB-Faker Ransomware is set to imitate CTB-Locker Ransomware, but it is not an exact copy of the said ransomware. In truth, this ransomware is a Winrar SFX file that extracts and executes batch and VBS files and executables to C:\ProgramData. The VBS file renders a fake error message claiming that your video player has crashed that does not allow you to watch a particular striptease video. Once the archiving the files is complete, the ransomware will delete the BVS and patch files and restart the PC. Furthermore, it creates ransom notes in C:\ProgramData\index.html, C:\ProgramData\your personal files are encrypted.txt, and C:\your personal files are encrypted.txt.

This ransomware demands a payment of 50 USD in Bitcoins (which is 0.08686 BTC.) You have to send an email to the provided email address to get the password. You have to provide the cyber crooks with the unique ID number to do so. Nevertheless, this tactic of denying you access to your files is not strong, and we are positive that you will be able to get your files back when a tool dedicated to breaking the password is created.

Do not be fooled by CTB-Locker Ransomware’s false claim that your files have been encrypted using SHA-512 and the decryption key has been encrypted with RSA-4096. They also claim that the ransom will increase to 100 USD if you do not pay it in 7 days. Now this is something that can be true, but we urge you to refrain from paying the ransom, especially since the cyber criminals might not give you the password.

CTB-Faker Ransomware’s developers have opted for an unusual way to distribute it. Research has shown that this ransomware is currently distributed via fake profile pages found on adult websites that feature links and passwords to a fake password-protected striptease video. If you click the link in the profile, then it will initiate the download of a .Zip file that is hosted on JottaCloud. When you open and extract the executable form this archive, this ransomware will go to work and start encrypting.

We hope that this short article has shed some light on this infection. Clearly, you have to remove it as soon as possible to be able to use your computer again. Even though it pretends to be an entirely different ransomware, it fails to do so. We urge not to pay the ransom and wait till security experts develop a tool that could get your files back for free. Feel free to consult the manual removal guide provided below. However, if you experience problems when using it, then try using SpyHunter since it is entirely capable of eradicating this ransomware.

How to delete CTB-Faker Ransomware

  1. Hold down Windows+E keys.
  2. Enter the following paths in the File Explorer and delete the files.
  • %ALLUSERSPROFILE%\help.exe
  • %ALLUSERSPROFILE%\Application Data\help.exe
  • %ALLUSERSPROFILE%\startup.exe
  • %ALLUSERSPROFILE%\Application Data\startup.exe
  • %ALLUSERSPROFILE%\restore.exe
  • %ALLUSERSPROFILE%\Application Data\restore.exe

Delete the registry key

  1. Hold down Windows+R keys.
  2. Type regedit in the dialog box and click OK.
  3. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find help.exe which contains the Value data C:\ProgramData\help.exe
  5. Right-click it and click Delete.
Download Remover for CTB-Faker Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

CTB-Faker Ransomware Screenshots:

CTB-Faker Ransomware
CTB-Faker Ransomware
CTB-Faker Ransomware


Your email address will not be published.


Enter the numbers in the box to the right *