12

I just got infected with "Crypt0L0cker" malware,virus or whatever that might be. They gave me a link (http://bica3zjnvl6fxkqf.tor-area.org/jrrk14.php?%20user_code=94aya99&user_pass=2616, the target site being suspicious the link is voluntary not clickable) to pay the ransom.

I don't know if is the "real" "cryptolocker or a copycat, but since I've opened the e-mail, (the virus was attached to a simulated electrical bill), it encrypted all my files in minutes.

One of the problems is that the external backup HD was also attached at the time.

I don't have any possibility to pay, and even if I would, I wouldn't pay them a nickle, since they will most certainly use the ransom money to develop an even more awful tool.

I've tried already "HexCmp2", "Decrypt_mblblock", "RakhniDecryptor", "ReactorDecryptor" and "TorrentUnlocker" but nothing seems to work.

Is there any way I could decrypt my files, any tool that will work?

Vilican
  • 2,703
  • 8
  • 21
  • 35
Arx
  • 131
  • 1
  • 1
  • 4
  • Try using shadow copy explorer and if not working, give a chance to forensic tools like scalpel or foremost. – r00t Jul 26 '15 at 15:21
  • 4
    For one thing, stop running random programs you find on the internet - this is how you got caught in the first place! ;-) – AviD Jul 26 '15 at 16:23
  • 6
    Also - I am sorry to say, I just had to deal with this myself (for a family member, not myself) and sadly enough it looks like they are one of the few that got crypto right - which means there is no simple way to break it :-( I really hope to be proven wrong... – AviD Jul 26 '15 at 16:25
  • 3
    For next time - https://crashplan.com – Neil Smithline Jul 26 '15 at 16:46
  • Or use a separate device for online activities, e.g. your smartphone, another computer, your TV etc., you can connect to such a device from the computer you normally work on using programs such as VNC, TeamViewer, SmartView etc. – Count Iblis Jul 26 '15 at 20:03
  • 1
    @CountIblis: it's been a while since "online activities" *weren't* part (most, even) of what I "normally work on". Which is not to say it's impossible to separate, but I think it's astonishingly inconvenient for most people. It's the fact the virus got to the only backup that's the real blow here, otherwise it wouldn't particularly matter that the "normal work" machine was trashed. – Steve Jessop Jul 27 '15 at 00:35
  • Other problem is that I've re-installed the Windows after I deleted the virus – Arx Jul 27 '15 at 02:55
  • I do not know if this malware is based on this, but the author of one of the biggest ransomware has published the keys. One may work for you if Crypt0L0cker is a fork. – Cyrbil Jul 27 '15 at 06:53

3 Answers3

10

I do not want to be pessimistic but the ransomware author is the only party that knows the needed private decryption key. CryptoLocker uses using a mixture of RSA & AES encryption. There are good security practices to prevent your computer from being infected by it, but once infected there is not something to do really about it for the moment. Do not waste money in buying tools pretending to be able to decrypt the files. But if you have done previous some restore point using System Restore of Windows then you have a big chance to recover your files.

  • 1
    Sadly, the solution I found was to nuke it. Trying to use the System Restore seems like a great idea, but it only works if it has the files. Usually, some programs when installed will create such point. But the System Restore isn't a great great resource, but may work. Notice that after trying to restore the system, you don't want to keep that Windows installation and you will really want a clean version. In short, try to use System Restore, copy whatever you can and format it. – Ismael Miguel Jul 26 '15 at 21:12
  • 1
    Don't forget to wipe that bootloader. It's heaven for rootkits and it can survive formatting. – Nate Jul 26 '15 at 22:06
  • 1
    Saddly yeah, I've just saw a "sad" thing on "Boxcryptor" website : -" Cracking a 128 bit AES key with a state-of-the-art supercomputer would take longer than the presumed age of the universe. " – Arx Jul 27 '15 at 02:57
  • 1
    @Arx On the whole, that's not so sad, since pretty much all of e-commerce (and lots of other things that need to be secure) depend on that. If you could easily break AES, we'd have much bigger problems than Cryptolocker. – reirab Jul 27 '15 at 04:01
  • Thanks alot for the help, I've never used that tool before, but I'll give it a shot :) – Arx Jul 28 '15 at 01:28
1

One could recover from older infections by file-restoration programs and even decrypting the crypted ones (using the leftover deleted key).

None of these options work anymore (unless you pulled the powerplug/battary when your hd started to perform excessive work (nobody did or recognizes that, especially on non-tweaked FF/Win8 hd-killing software)).

After full encryption the key is shredded (no longer just deleted), as are the restore points and encrypted/deleted data.

The main point I'm posting this answer however is to warn: the machines that I've had to work on ALSO had infections in the system-recovery (I mean, 'back to factory' aka 'reinstall windows'), however on most machines this led system-recovery to fail entirely, thank [enter deity here], otherwise one could get the illusion one at least got their OS back.. (not realizing the hostage-software and identity-theft malware that is also shipped (hey these guy's and their 'support-employees' got to get payed even if the victem doesn't do it themselves..) would be ready for another go at it..)

If you got this pest, bring your pc to an advanced repair person/center to recover your OS license, wipe correctly and reinstall legally (you had a legal machine right?).
Also clean all your USB (I had one customer f up his machine the moment he got home with an infected USB stick) and external drives!

PS: don't waist to much time investigating your options, after a week the ransom will be double (and so on).

That being said (warned!!!), victims of older cryptolocker can visit: http://www.decryptcryptolocker.com/ to get their data back for FREE.

"All they have to do is submit a file that's been encrypted from that we can figure out which encryption key was used," said Greg Day, chief technology officer at FireEye.

Source: http://www.bbc.com/news/technology-28661463 (here you can also see a picture and the name of the one who did this to you.. (and stole over 3Milion $ from justice departments, law-enforcement, governments, corporations, and you and me).

It might pay off to backup the encrypted data securely and wait..

GitaarLAB
  • 321
  • 2
  • 9
  • forgot to mention: it is known that about 5 to 20 % (on average, including the latest versions of cryptowall) of your files are *not* recovered using the decryptor the criminals send to you. They are lost forever (their 'support' is only 'helpful' to get you to pay, after that 'support' ends), so you need to take this into consideration! You can check your registry for a full list of your encrypted files (this key must remain intact if you want to pay the ransom and run the decryptor). The current list of encrypted file-extensions is not that big. – GitaarLAB Jul 27 '15 at 02:30
  • http://www.decryptcryptolocker.com/ doesn't work anymore. "We believe that our Decryptolocker site has served its purpose, and we have decommissioned it given that the threat landscape has evolved." – Arx Jul 27 '15 at 02:49
-1

If the malware creator did his crypto correctly, there is no way to decrypt the files. Strong crypto is strong, no matter whether it's used for good or nefarious purposes.

Some of these ransomware happen to transmit the key over unencrypted HTTP to their remote server; in the rare case you had an HTTP proxy intercept the connection, you may look at the proxy's logs and see if the key is there.

Anonymous
  • 7
  • 1
  • 3
    Unfortunately, Cryptolocker uses PKI, and the private key is on the attacker's computer, so sniffing or intercepting traffic won't help. – Milen Jul 26 '15 at 17:44
  • Thanks you all for support, I think my problem is "unsolvable", at least for now, maybe I'll just save the encrypted files somewhere, it may come in handy if in near future someone will find a way to decrypt them, but I sincerely doubt it. – Arx Jul 27 '15 at 03:04