Ransomware Decrypter: I have a file that is normal and encrypted!

Hi all,

Recently a new client of mine was infected by a ransomware virus( since this infection, his previous IT consultant has gone underground).  All of his Microsoft Office files are encrypted and his backup drive is badly corrupted.  However, I was able to restore one file from the drive and so I possess the same file in it's encrypted and non-encrypted form.  Is there a way for me to find the encryption key from these two files?  I tried one utility from Panda Security, but it did not help.  Does anyone have any suggestions?
lofishmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
if the ransomware really does the right crypto using private/public key type (like SMIME type), we can simple give that efforts off as it is not worthwhile. I was thinking
a) First if it is really using crypto or just packing or encoding, can try
- Protection ID @ http://pid.gamecopyworld.com/
- If so is packing, we will then need to find the right unpacker @ http://reversengineering.wordpress.com/category/tools/unpackers/

b) Seldom that is an easy way out as ransomware do really encrypt the files ... then the question is what is the encryption used (at least if it is PKI then really it is going to be tough). Minimally we know what cryptor we are facing then can google and find in targeted fashion
- PE ID may be worth to identify cryptor if poss
 @ http://www.aldeid.com/wiki/PEiD or
 @ http://woodmann.com/BobSoft/Pages/Programs/PEiD

c) If it is any common versions of BitLocker, PGP, and TrueCrypt then Elcomsoft has some idea on decrypting it @ http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/

Truely, it is not going to be easy but if we can recover or carve from file temp or slack in the HDD to get remanence to get bit and pieces e.g. the ransomware before encrypting make a copy and erase from HDD, using forensic tool to check for deleted file may be poss but chance they will do secure erase and wipe and this is making the battle worst and not recoverable...
 @ http://pcsupport.about.com/od/filerecovery/tp/free-file-recovery-programs.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
It's possible, but I don't know of a utility that does it. Searching a keyspace is often harder than finding the password used to create the key. This applies to most modern encryption. You can do the same thing for PGP files, have the plain and the encrypted, and never figure out the private key needed to decrypt.
-rich
0
btanExec ConsultantCommented:
if it is password based, hashcat is nice @ http://hashcat.net/hashcat-gui/
sometimes, i also check the ADS if it becomes a exe ... for no reason as it can store the secret key (but protected most of the time)
@ http://www.nirsoft.net/utils/alternate_data_streams.html
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

lofishmanAuthor Commented:
Thanks for the suggestions, but the file format has not been changed to an .exe.  The files are still in the same format, just encrypted.
0
btanExec ConsultantCommented:
No harm trying the peidor protection id
0
BiniekCommented:
Could You post or send one example of encrypted file ? ( of course if it is not confidential)
I can try to recover the password.
0
btanExec ConsultantCommented:
If it is cryptolocker which is rather recent, trying to decrypt ot is not going to happend though there is mention panda decryptor doing the initial possible but most could not get it back still..not even using elmosoft decryptor...possibly only retrieve backup of they are encrypted too..from shadown or previous version..
0
lofishmanAuthor Commented:
Hi all,

Someone requested a look at a file.  I will attach this one and maybe one of you can decrypt this.  As I had mentioned, the backup drive is corrupted, but I was still able to recover some of the documents.  It would be great if I could just decrypt what has been encrypted.
LexusofOrland-OrderForm-Merrivil.docx
0
lofishmanAuthor Commented:
Has anyone else out there have any other ideas?
0
btanExec ConsultantCommented:
It is not going to be straightfoward as far as I see from the file.
0
btanExec ConsultantCommented:
So far haven't heard of any successful decryption withe latest evolved cryptolocker
0
Giovanni HewardCommented:
I scanned your file with crypto-un-locker, and here are the results.

[+] Found a potential CryptoLocker file: LexusofOrland-OrderForm-Merrivil.docx

I've compiled this script into an executable and hosted here:

http://itwholesalesupply.com/CryptoUnlocker.zip

You can use it to scan all your clients files to see which ones are effected.

CryptoLocker uses both RSA (public-key, asymmetric) and AES (private-key, symmetric) encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user (or in this case malware author) and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses a unique AES key for every file to encrypt.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.   It's a proper hybrid encryption implementation.

In other words, even if one key was found via brute force or by reverse engineering the decryption process, that AES key would only work for that individual file, and the RSA private-key would only work for that individual system.

This private key is never transmitted to the victim without the ransom being paid, nor was it ever stored in the malware binary itself.  It was only stored on a remote command and control (C&C) server for a supposed limited period of time and then destroyed.  Why was it destroyed?  Likely to prevent mass decryption capability in the event the server is seized.

Apparently, however, the malware author(s) are not destroying keys within the timeframe they have represented, as they've launched a decryption service.

What your seeing is the proper implementation of both asymmetric and symmetric encryption.  The same encryption used to secure financial and government systems.

Your only choices (data recovery aside) is 1) provide the private key, assuming it hasn't been destroyed--  that means pay the ransom, or 2) brute-force the private key.  To brute force a 2048-RSA unique private key would theoretically take a lifetime.  As distributed super computing power increases, you may be able to rent something to do the job around year 2030.

Before paying the ransom, try to recover the data using VSS volumes via shadow explorer, etc.

See http://www.kyrus-tech.com/cryptolocker-decryption-engine/ for more detail.
0
btanExec ConsultantCommented:
Wondering if you be interested in this forensic mean to recover backup
http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted-files.html
0
younghvCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for breadtan's comment #a39559041

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Giovanni HewardCommented:
I propose to split points between ID: 39559041 and ID: 39670500
0
lofishmanAuthor Commented:
There is a way to decrypt files encrypted by the Cryptolocker virus.  Here is a link detailing how the keys were obtained in an FBI raid:  http://www.tampabay.com/news/free-fix-for-cryptolocker-ransomware-available/2196568

And here is the website that will allow you to obtain a key (and a tool!) for decrypting your files as long as they were infected by the Cryptolocker virus:  https://www.decryptcryptolocker.com/
0
btanExec ConsultantCommented:
thanks for sharing, that was came up by FireEye and FoxIT, but note that the service will attempt to decrypt that file using all of the known encryption keys. So if the file uploaded to the service does not fall under the "lucky" one - meaning decryption key not found, it is back to square one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.