none
De-encryption of Cryptolock ransomware encrypted files

    Question

  • Good afternoon, colleagues:

    My PC was infected by a file-encrypting ransomware virus (Cryptolock) through a trojan email.  I removed the virus using Malwarebytes.  My files remain encrypted.  What measure(s) can I take to de-encrypt the files?

    Thanks and best,

    DJW51

    Thursday, October 10, 2013 4:45 PM

All replies

  • Hi,We have just recovered from an infection of this virus.

    The files are encrypted  RSA 2048bit which means it is not possible to decrypt them without the private key, which is only held by the attackers.

    The ONLY way to get the files unencrypted is to pay the ransom money and as long as the timer has not expired and luck is on your side they will acknowledge the payment and decrypt the files.

    I agree that it is madness to pay these people but unless you have a backup of the files there is simply on other way.

    We paid as our client did not have new enough backups of the files. It encrypted 90,000 files in 5 hours, silently and then announced itself.

    For reference, we researched this for 15 hours straight before paying and it really was the last resort.

    We paid 2BTC (bitcoins) and within one hour of transferring them to the criminals and entering the transaction ID into the cryptolocker software it started decrypting the files. As soon as it completed we pulled out the network cable to that PC and all files are back to normal.

    Good luck sorting it out.

    J

    Friday, October 11, 2013 5:59 PM
  • Hi,

    It seems there is no way to get your files back without paying the ransom.

    I have no idea in this age of big brother security why they cant trace the payment, somewhere somehow the money is being turned over to someone that must present an ID.

    How can these criminals get the money without an ID? is there anywhere where you can just gent money over the counter with no ID?

    We all need to write our MP or Senator and get the pressure put on the payment services, they are laundering money for Criminals, could be funding terrorist or who knows.

    What I would like is a wireless backup drive that can be password protected or a cloud drive with password protected to keep virus's away! is this possible how / what do I need to set it up?


    • Edited by Stan stockdale Wednesday, October 23, 2013 11:00 AM added text
    Wednesday, October 23, 2013 10:51 AM

  • How can these criminals get the money without an ID? is there anywhere where you can just gent money over the counter with no ID?


    What I would like is a wireless backup drive that can be password protected or a cloud drive with password protected to keep virus's away! is this possible how / what do I need to set it up?


    This is part of the BitCoin anonymity. Read here for details:
    http://en.wikipedia.org/wiki/Bitcoin#Privacy

    They can receive those BitCoins and then exchange them for a real cash that cannot be traced. They may also use MoneyPak that is not traceable either. The only way to track them down is through those servers that they use to store private key after encrypting your files. Most certainly they are hosting it with some shared online web hosting service that requires some identification before it is set up. I saw some reports today that this ransomware most certainly originated in Russia, or in Eastern Europe, so as you can see it will be very problematic for the law enforcement to even begin facing the problem from U.S. or Western Europe.

    One "encouraging" thing (I put it into quotes) is what @Jerr_y said, that this ransonware "honors" the payment and at least decrypts the files. Keep in mind though that if you remove it from your computer after your files are encrypted, or if you're unlucky enough for the server where the private key was stored to have been shutdown, this will mean that your files are gone. Period. The encryption that they use is too strong to break it in any reasonable amount of time.

    So to answer the original poster's question. Sorry, it's too late for you to act on it. This is how horrible this thing is. And I truly hope that they catch those comrades who made it!

    As a preventative measure against it though, so far all I can think of is a good off-site back-up that supports versioning (to distinguish good files from "encrypted" ones.) Note that since your local back up (on an external drive) can be seen by this malware, it can hypothetically encrypt it as well and render it useless! That's what makes it so nasty.



    • Edited by ahmd0 Tuesday, October 29, 2013 1:13 AM
    Monday, October 28, 2013 12:06 AM
  • When they entered the payment info did the program stay in the foregrand?  Our virus software removed it but we had had another image that alerted us to re-download or restore form quarantine.  We re-ran the Cryptolocker program and it had showed the remaining time.  we hit next and then entered Moneypak info.  it told us that it could take up to 48 hours to manual verify the payment.  It showed that it was waiting for verification in a status like screen and said to not power it off or disconnect from the Internet and it said it would stop the timer during the payment verify.  It then disappeared and wonder it if will actually work.  From looking at the screenshots on the net, it looks like it shows that status of the decrypt on the same program i was entering the payment info on. 

    Did it show the status of the files decrypting after you entered the payment?  I wonder if I run the Cryptolocker app if it will start where it left off.

    Thanks

    CW

    Tuesday, October 29, 2013 12:36 AM
  • When they entered the payment info did the program stay in the foregrand?  Our virus software removed it but we had had another image that alerted us to re-download or restore form quarantine.  We re-ran the Cryptolocker program and it had showed the remaining time.  we hit next and then entered Moneypak info.  it told us that it could take up to 48 hours to manual verify the payment.  It showed that it was waiting for verification in a status like screen and said to not power it off or disconnect from the Internet and it said it would stop the timer during the payment verify.  It then disappeared and wonder it if will actually work.  From looking at the screenshots on the net, it looks like it shows that status of the decrypt on the same program i was entering the payment info on. 

    Did it show the status of the files decrypting after you entered the payment?  I wonder if I run the Cryptolocker app if it will start where it left off.

    Thanks

    CW

    I did not experiment with the actual Cryptolocker. Sorry, buddy. You're obviously at the mercy of those scumbags who wrote it as there's no manual or support hotline for it. If it said that it would decrypt the files and disappeared, check the disc and CPU activity via the Task Manager and the Resource Monitor. Look for the process that consistently takes CPU and disc time slice and then do Google search on its name. For example (from my clean computer):

    In theory if it's decrypting your files it may do so in the background. It will obviously take time (depending on their size.) It may take up to a day or even longer to decrypt them back. So if you do see disc write activity, I'd let that process do its thing. Also keep checking your actual files to make sure that you can open them. And if you do get something back, copy them AS SOON AS possible to some external drive and transfer them to a clean computer. Also please disable your crappy antivirus software because at this point it may only screw things up even worse! So if you're lucky, when done, or if close to being done, make sure to back up the rest of your data, completely erase the infected hard drive and re-install Windows. Only then it will be safe to use that computer. And hopefully this teaches everyone to do periodic offsite backups! Good luck!

    Tuesday, October 29, 2013 1:35 AM
  • I've read that some people are having luck with their system restore if they were smart enough to have it enabled.

    If you're one of these people, then let's try and get your stuff back.

    Load the program here from BleepingComputer to get a list of all the files that the virus has encrypted.

    From here, you can follow these instructions:

    How to restore your encrypted files from Shadow Volume Copies

    If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

    To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.

    Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

    When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

    shadow-explorer.jpg

    To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.

    I haven't personally dealt with this virus, this is just what I was able to dig up on the interwebs.

    Tuesday, October 29, 2013 2:09 AM
  • Hey Guys!!

    one of my computers running windows xp professional got affected by CryptoLocker and i scueesfuly removed it, but what about dycrypting the files " MS Office Files" ?!

    please help !!


    Sunday, January 19, 2014 7:55 AM