How to decrypt .lock files from ransomeware on Windows

Question

I am helping a friend which is an accountant and got all of her books locked due to this. Here are some details:

BTC address of the attacker: 1MBwkTssJkqRvXmAFcSEZ3xTD39A9rkyYA
Email: helptoyou1@india.com
File name example: V1rf3n+NT9R1ZM7SmU0.helptoyou1@india.com.8464DBdhFhbd4.lock
Filename of ransom notice: How to restore files.hta

Neither globe nor globe2 could help ("error: reference files missing" after dragging and dropping both an encrypted and non encrypted file to it at once).

Also this thread at Bleeping Compuer did not help much.

My friend paid 1 BTC to the scammers, after which they sent no key and asked for more money (obviously). Unfortunately, I am not much of a cryptographer, so I am seeking your help to decrypt the files.

Edit: This is what Recuva says (unable to recover since file x was overwritten by file y.lock)

UPDATE: No solution was found, the person had to format her computer and lose all the data.

The only reliable method to recover from a ransomware attack is to restore the data from backups. If you don't have backups, you're basically stuck - you can try to pay (might work, might not - nothing to prevent a fake ransomware which just scrambles data unrecoverably from existing), but unless you get a decryption key, the data is gone. Modern encryption is good enough that it's infeasible to crack, unless there is a mistake in the implementation. — Matthew, Dec 05 '16 at 13:57
Would the windows system backup, created automatically before major updates (and states explicitly that it doesn't affect any files aside the system) help? :( — Oleg Belousov, Dec 05 '16 at 14:03
The problem is that it doesn't take a lot of effort to find a pre-written encryption library and to wrap some file finding code around that. There are a lot of legitimate uses for crypto libraries, and they are pretty foolproof. Personally, I'd consider those files gone. Windows system backup won't help - it's only the system files that are being changed by the specific update. — Matthew, Dec 05 '16 at 14:07
Do not pay, as you've already discovered there is relatively little chance you will get a key back. Also, advise that you rebuild the PC as even if you do manage to get an unlock key, it is reasonably common for a secondary infection to be placed on the PC that triggers after a few months. The only protection against ransomware is an offline/versioned backup. — Julian Knight, Dec 05 '16 at 14:22
I know you've mentioned that you've used nomoreransom.org in a comment on an answer below, but could you confirm the exact ransomware variant you have? If nomoreransom didn't give an answer you could try uploading the ransom note hta file to https://id-ransomware.malwarehunterteam.com — GreatSeaSpider, Dec 05 '16 at 15:43
Yup, The computer just got formatter.... that's a real pity.... — Oleg Belousov, Dec 08 '16 at 10:06

Anders · Accepted Answer · 2017-05-19T08:25:27.030

I don't think you will see those files again, unless you have a back up.

You can view the transaction history of the Bitcoin address you were asked to pay to here. As you can see, there are 303 transactions in total and many of them are for 1 BTC.

That implies that the same Bitcoin address have been given to multiple victims. This in turn means that it is impossible for the perpetrators to know who has paid, and what encryption key should be sent. (Hence the odd request for a screenshot, I presume.)

So either they are incompetent in their handling of the ransom, or much more likely, they are not restoring any files, instead just milking victims on more and more money. And if they are not restoring any files, why even bother to encrypt them when you can just overwrite them with random garbage?

So those files are probably gone, no matter if you pay or not.

Edit: There are some good points in comments. Potentially the screenshots could be used as proof of payments, although a flawed one. And even if payment does not lead to decryption the files might still be encrypted.

But even with this taken into account, unless a remedy for this specific version of ransomeware pops up, you are very unlikely to be able to restore your files. Nkals answer has a great link to a repository of such remedies.

Edit 2: This Troy Hunt blogpost follows a similar line of reasoning about extortion and Bitcoins.

Edit 3: The recent WannaCry outbreak has made me reconsider this answer. Apparently WannaCry uses three hardcoded bitcoin wallets, but people still seem to have gotten their files decrytpted. So I think the base assumption of this answer is wrong.

I think the question was about how to decrypt because paying didn't work. I don't think they were waiting for something else to work. — schroeder, Dec 05 '16 at 15:30
@Anders: the obvious reason they choose to encrypt instead of deleting is that if they delete you won't pay anything, having no hope of recovery? — Olivier Dulac, Dec 05 '16 at 18:34
They ask for a screenshot of the payment (which presumably includes a source address that can be used for identification) and for an id of the machine. Isn't this enough to identify who has paid and which key to send them? — Federico Poloni, Dec 05 '16 at 18:35
@OlivierDulac It's actually quite trivial to say you've done one thing (encrypt) when you've actually done something else instead (delete), especially when the results are nigh indistinguishable until after you've been paid. — 8bittree, Dec 07 '16 at 17:19

LSerni · Answer 2 · 2016-12-23T13:38:31.083

First line of defense: BACKUPS. Restore the files from there. When available, this has a 100% chance of success.

Otherwise: hope that the ransomware did not disable/work around the Windows Shadow Copy service and that it was active to begin with. Choose one of the files, right click, Properties, "Previous Versions". Is there a previous version from before the attack?

If not: hope that the original files were just deleted without overwrite, and that they were not deleted the easiest way, one at a time; or that if it happened, the Windows space allocation strategy left the original space unused as long as possible, rather than allocating each new encrypted file to the deleted original file of the previous round; which means that you need the disk to be more than 50% free to begin with. Run a file undelete utility (e.g. Piriform's Recuva).

Sometimes, the files you're interested in might have had previous versions deleted before the ransomware attack. These deleted versions, while not current, could be valuable, and not being able to see them (they were deleted), the ransomware shouldn't have encrypted them.

Otherwise: the only recourse is the "good faith" of the attackers. Sadly, you already verified it doesn't work, which also bodes ill for the other possibilities. It is in the scammers' interest to deliver, to reassure their other victims and also sometimes to be able to slip you a second infection and milk you again a month hence. If they didn't, chances are that they can't (1).

Lastly, the remotest of hopes: keep the encrypted disk somewhere safe and reinstall on a new disk. Assuming the attackers were in good faith and the data is really encrypted and recoverable, instead of just replaced with random noise or unrecoverable (2), it might happen that in a week, a month, or some years, either the command-and-control server will be taken down and the keys recovered, or an error will surface in the encryption strategy and someone will write a recovery tool (it has happened, for three ransomware families out of... unfortunately, several). Some data might be recoverable then.

UPDATE 2016/12: (Some) CryptoLocker 3 decryption possible.

(1) it is not so easy to write a ransomware - or to do so "correctly"; an easier approach is to modify an existing one so that it sports their bitcoin account and disposable email, instead of those of the original authors. Of course they don't have all the infrastructure required to really receive the encryption keys and give them back to paying victims - they're only running a quick money scheme. They milk their victims for what they can, without ever being able to actually give them back their files.

(2) e.g. because they did use the system's encryption routines, but they mismanaged the keys or they lost them in transmission. Or because, see previous note, this is not their ransomware at all.

score 16 · Answer 3 · answered Dec 05 '16 at 13:57

16

Europol has a web page with a contact form that you can use to check if a solution is available to your friend's problem.

https://www.nomoreransom.org/

answered Dec 05 '16 at 13:57

jedidog

304
1
5

Tried that, says we have no solution yet. – Oleg Belousov Dec 05 '16 at 14:00
Then I think the fastest and cleanest solution would be the one added by Matthew above. Through a backup. You must also not use the computer as it is infected now. – jedidog Dec 05 '16 at 14:03
@OlegTikhonov then sadly those files are stuck in limbo. – INV3NT3D Dec 05 '16 at 14:03
3

Have you tried to do a deep scan of the system? They usually encrypt and then delete the original which means it may be recovered using a tool like recuva. – jedidog Dec 05 '16 at 14:10
check the descrption here too: http://superuser.com/questions/1113664/can-recuva-r-studio-undelete-theoretically-recover-encrypted-ransomware-files – jedidog Dec 05 '16 at 14:13
10

Did recuva work for you? – Gavin Youker Dec 05 '16 at 20:39
No, files were unrecoverable, in comment, it was said that encrypted file was written ontop unencrypted one – Oleg Belousov Dec 06 '16 at 19:56
@GavinYouker I have attached a screenshot... – Oleg Belousov Dec 07 '16 at 14:34

score 2 · Answer 4 · answered Dec 07 '16 at 10:46

I've not used it, but you may have some luck with this free tool from Trend Micro.

https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

It appears to be updated regularly so even if the files can't be decrypted today they may be able to at some point in the future.

How to decrypt .lock files from ransomeware on Windows

4 Answers4