Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affected by the same strain. CL 184.108.40.206 Fairytail
On December 9, my father asked me to open his computer up so he can connect in while on vacation. It was late and I was feeling a little bit too lazy to build a VPN solution. Instead, I forwarded port 3389 to his computer and enabled Remote Desktop.
As his computer had no password on it, I told him he had to use one. Unfortunately, his first name was not a very strong password. Two days later at 3:00 am, his computer was infected. By morning, everything was encrypted. This was also a very rare situation where his other computer was also turned on, which houses all of his important data. This was also encrypted.
The prognosis did not look good. Everywhere online said its Cryakl, impossible to decrypt. I tried the Rannoh Decrypter that hadn't been updated for about a year and wasn't surprised to see that it didn't work. There were no shadow copies to work with and no recent backups. I began running data recovery software with the hope that I could recover some files. While many pictures were found this way, other important files were not. I was still not satisfied. I took his computers to my house and worked on a small set of files for about a month. I was ultimately able to manually decrypt a file. Then I was able to refine and repeat the process on any file on his computer. I developed a tool to go through any drive or folder recursively and have now managed to decrypt his entire computer.
At this time, it is required to have a file as it existed before encryption. Its encrypted counterpart is also required. These files MUST be a match to work properly. I have built in some checks and balances, but I will not go as far as saying that it's perfect. ALWAYS do a backup of the encrypted data before using this tool. Please take your time and read the instructions. If you mess up the encrypted files, there's a good chance that the data will truly be forever lost.
If any researchers from the big security firms out there would like to know how the decryption works, I am happy to discuss it with you. I did briefly post the solution online but took it down as I did not want to tell the extortionists where to improve.
This tool is for files with filenames that look like this:
firstname.lastname@example.org-CL 220.127.116.11.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail
- or -
email@example.com-CL 18.104.22.168.id-#########-12@11@2017 3@23@45 AM7563453.fname-README.txt.fairytail
On a final note, I just want to emphasize this one more time -- BACKUP YOUR FILES BEFORE USING THIS TOOL.
Here is a link to the decryption tool:
Updated Feb 27, 2018
- Fixed a bug that was leaving small files (less than 2 kb) encrypted
- Added some code to help ensure that fairydust files are not locked before attempting changes
For troubleshooting tips and past update details, see the notes at the end of the article.
|Screenshots - Click to Enlarge
**** If you require support please use the Ask a Question feature of Experts Exchange. Please be sure to include the term "Fairytail" in your question so I can find it easier. This will help keep the comments section clean and will allow me to work with each case in a separate space. If the tool is not decrypting your files properly, you may have a strain that I have not yet seen. Please include with your question a zip file containing your unencrypted original file, its encrypted counterpart and some other sample files that I can test with.
**** If you are having trouble finding an original, unencrypted file, see the tips below:
- Review the files in your downloads folder. If you think you can download any of those files again, you will have an original file to use.
- Go through your flash drives and external hard drives that were not connected at the time of infection. You may find a document that can serve as an original file if it was still on your PC and happened to get encrypted.
- Check to see if the files in "C:\Windows\Media\" are encrypted on your PC. If they are, find the unencrypted file on any other computer with a matching operating system.
- Log into your email in a web browser and check for sent messages with attachments. It's likely that one of those attachments is encrypted on your computer. This can serve as your unencrypted file.
Feb 11, 2018
- Updated interface to include a Job Summary which helps you to know what files and directories the application is set to work with.
- Added a feature to create a signature from the encryption fingerprint of encrypted analysis file. If a different signature is found during decryption, it will not modify the contents of that file. Attempting to decrypt files with different signatures will result in broken files.
Feb 10, 2018
- Fixed a bug that was leaving bytes 48000-49999 encrypted.
Feb 8, 2018
- Updated technique for parsing the filename structure to automatically handle slight variations
- Fixed a bug when decypting files larger than 2GB and choosing to keep encrypted files.
- When choosing to keep encrypted files, application will now copy the encrypted file into a new file called [original_filename].fairydust. Once that file has been fixed, it is renamed to the original file name.
- When decrypting a single file, you will now see the status dialog appear.
- If a file being decrypted already exists, it will append a timestamp to the end of the file name. This will be useful if you were able to partially restore some files from backup before decryption.
Feb 3, 2018
- Fixed a bug causing problems when choosing not keeping encrypted files
- Fixed a bug resulting from different filename structures that caused a problem decrypting a directory
If you found this article helpful, please endorse it by clicking the Thumbs Up icon below.