A new ransomware called Cryptographic Locker which encrypts files on infected PCs fails to delete the original files and system restore points making it easy for victims to get their data back.
Once a system is infected, Cryptographic Locker starts to encrypt documents, images and other files using AES encryption. After all files are encrypted the ransomware displays a warning explaining the user how to get his files decrypted. The cybercriminals demand a ransom of 0.2 Bitcoin (about $100). They also change the background of the desktop with an image which warns the user his files are encrypted. In the image they don't use Cryptographic Locker but CryptoLocker instead, the most notorious ransomware.
As soon as the ransomware becomes active it disables execution of a wide range of applications including Process Hacker, MalwareBytes, Spyhunter, MsConfig, Task Manager, Registry Editor, System Restore and Process Explorer.
The ransomware doesn't do a proper secure delete and also doesn't remove System Restore points. This allows users to restore files with a recovery tool or restore Shadow Volume Copies with software like Shadow Explorer.
