• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

Cryptolocker Virus attack


A friend's computer has the cryptolocker virus and a message that files have been encrypted.  72 hours to pay €300 to get the files decrypted.

There is NO backup of the files.

What is the best course of action?  Is paying the money a possiblily?

Thanks for any help and advice,

1 Solution
Giovanni HewardCommented:
I am sorry. Your friend is out of luck. :-(
Thomas Zucker-ScharffSystems AnalystCommented:
Thrre have been a number of similar questions regarding cryptolocker. Search in experts exchange and you will find a few links to decrypters.

Whatever you do, don't let anyone pay b by credit card.
Giovanni HewardCommented:
you will find a few links to decrypters

I'd like to see those... decryption requires a unique private key stored on a C&C server, which is presumably destroyed once the timer expires (likely to avoid mass decryption capability should a C&C server be seized.)

Realistically (and ironically), your best bet in actually recovering your files (without a backup, shadow copies, etc.) would be to pay the ransom.  Otherwise you're left with brute forcing a RSA-2048 private key and ill informed advice resulting in removal of the malware itself, destruction of the private key, and encrypted files--- leaving them truly non-recoverable without brute force.

Regarding brute force...
2048-bit keys - that is enormously stronger than anything Lenstra et al attempted, in fact, it would require factoring a 617-digit number. RSA Labs claim (see: http://www.rsa.com/rsalabs/node.asp?id=2004) that 2048-bit keys are 2^32 (2 to the power of 32) times harder to break using NFS, than 1024-bit keys. 2^32 = 4,294,967,296 or almost 4.3 billion, therefore breaking a 2048-bit [key] would take about 4.3 billion times longer (using the same standard desktop processing) than doing it for a 1024-bit key. It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years to break a 2048-bit [key]. Or, in other words, a little over 6.4 quadrillion years.
Ref: http://www.digicert.com/TimeTravel/math.htm

Somehow I think $300 is less than renting the distributed super computing power required to break the key in your lifetime.  The malware author actually understands proper implementation of both asymmetric and symmetric encryption.

A real defense is found in my post here.  Unfortunately, it cannot be retroactively applied. :-)

The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.  -Stephen Hawking
Decrypters do not work, at least not in this case. Paying the ransom may help, at least some users reported that after the payment activation decryption began and files were recovered. However, paying the ransom does not guarantee the safe recovery of encrypted files, as stated here: Remove CryptoLocker virus and restore encrypted files

Your friend could try Shadow Explorer to recover some of the files but since they were not backed up I don't know if he still has this option.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now