5 Replies Latest reply on Sep 4, 2015 1:59 PM by Peter M

    Cryptolocker Decryption

    joannab

      Hi,

       

      Does anyone have a solution to decrypt files encrypted by cryptolocker?

       

      Thanks,

        • 1. Re: Cryptolocker Decryption
          Troja

          Hi joannab,

          there is no technical solution to decrypt files encrypted by cryptolocker, because you need YOUR private key.

          Infection of Cryptolocker... some main steps:

          - Dropper is executed on your endpoint

          - Infector is executed on your endpoint.

          - Malware is established. The Malware generates a private key for encryption. This private key is uploaded to the C&C Server in the Internet and afterwards deleted from your disk. This key must  be available to decrypt your files.

           

          If you inspect the malware with ATD you also can see the execution of the vssadmin.exe. Vssadmin.exe is used to remove any shadow copy on your drive to prevent the restore of the private key.

          Conlusio, without your private key it is not possible to decrypt your files.

          I heard there was a Botnet highjacked and the private keys have been published. At the Moment i do not know where this was published, but perhaps you are lucky.

           

          Sorry for the bad News.

           

          Cheers

          • 2. Re: Cryptolocker Decryption
            joannab

            Hi Troja,

             

            Fox-IT created a portal via which you can find the key to unlock files. All you have to do is to submit a file that's been encrypted from that they can figure out which encryption key was used. But unfortunately the orginal actors have since changed their encryption model and there have also been a proliferation of copycats using the same name. This tool no longer worked and has since pulled down. So I was hoping to find a comparable resource available.

             

            Thanks,

            • 3. Re: Cryptolocker Decryption
              Peter M

              The FOX-IT one only worked for the early versions of Cryptolocker.  Now variants are appearing that it wouldn't work on anyway.

              Stinger is supposed to be effective at ridding one of Cryptolocker but as far as decrypting goes you'd have to Google search that and I doubt there is anything out there that is trustworthy.

              Can't the affected system be taken back to an earlier time using System Restore or from backups?

              • 4. Re: Cryptolocker Decryption
                joannab

                Unfortunately no; I think also that usually data is destroyed after a certain time.

                • 5. Re: Cryptolocker Decryption
                  Peter M

                  That's too bad.   I've moved this topic over to Malware Discussion > Corporate User Assistance to see if anyone here has any ideas that could help.