• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 697
  • Last Modified:

Cryptolocker solutions?

Does anybody have any up to date information on how to reverse the encryption caused by the Cryptolocker virus?  I understand it is a new virus and there isn't a ton of information but I was hoping something new has come along.  I was able to remove the virus from the PC but obviously the damage had already been done.  Any information would be greatly appreciated.
0
Marcus_nt
Asked:
Marcus_nt
  • 5
  • 3
  • 2
2 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
This has heavily been discussed on mailing lists and ThirdTier/SMB Kitchen crew has put together a free packet for prevention because unencryption is not likely nor fast given how it affects things.  Restore from backup is your best option and you can try implementing the group policies that help prevent it.  Reference http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
0
 
Giovanni HewardCommented:
0
 
Marcus_ntAuthor Commented:
My main hope from this post is to see if it is possible to reinduce the virus or somehow reverse the encryption, we do not have a backup for this specific computer.  We've tried reopening any questionable email attachments and going to every site in the browsing history leading up to the time of infection but having no luck.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
If there were an "easy" way to decrypt the data, I would expect the antivirus tools available would be implementing it.  

It's a hard lesson... but one people should learn - backup.
0
 
Giovanni HewardCommented:
@Marcus_nt, this specific malware uses both RSA (public-key, asymmetric) and AES (private-key, symmetric) encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user (or in this case malware author) and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses a unique AES key for every file to encrypt.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.   It's a proper hybrid encryption implementation.

In other words, even if one key was found via brute force or by reverse engineering the decryption process, that AES key would only work for that individual file, and the RSA private-key would only work for that individual system.

This private key was never transmitted to your environment, nor was it ever stored in the malware binary itself.  It was only stored on a remote command and control (C&C) server for a limited period of time and then destroyed.  Why was it destroyed?  Likely to prevent mass decryption capability in the event the server is seized.

What your seeing is the proper implementation of both asymmetric and symmetric encryption.  The same encryption used to secure state secrets.

Your only choices (data recovery aside) is 1) provide the private key, assuming it hasn't been destroyed--  that means pay the ransom, or 2) brute-force the private key.  To brute force a 2048-RSA unique private key would theoretically take a lifetime.  As distributed super computing power increases (per Moore's law), you may be able to rent something to do the job around year 2032.

Sorry, no joy.  My posts above were intended to show how this could have been prevented in the first place.  Unfortunately, the solution cannot be retroactively applied.

What you're probably thinking of is symmetric (private-key) encryption.  In this case there is one key used to encrypt and decrypt.  Hence, the key must be stored in, or otherwise made accessible to, a given piece of malware in order to encrypt the files.  In this case, if the key can be obtained, decryption is possible.  Unfortunately Cryptolocker uses a hybrid of both public-key and private-key encryption (RSA and AES) and no such exploitable condition exist.

I know it's not the magic pill you'll looking for.  It is reality, nonetheless.

BTW, reintroducing the malware will only add an additional layer of encryption over the existing layer, using both a new public/private RSA key pair and a new AES private key.  If you then pay the ransom, only the new layer will be removed, effectively leaving your system in it's current encrypted state.  You need the private key generated during the original infection.  If you allowed the timeout to expire you and the key was destroyed, you're out of luck.
0
 
Marcus_ntAuthor Commented:
I've requested that this question be deleted for the following reason:

lkfjldjkf;
0
 
Giovanni HewardCommented:
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 
Giovanni HewardCommented:
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 
Marcus_ntAuthor Commented:
I've requested that this question be deleted for the following reason:

other than offering preventative solutions going forward, the issue can't be fixed
0
 
Giovanni HewardCommented:
@SouthMod: Thank you.

@Marcus_nt: Apparently the malware author(s) are not destroying keys within the timeframe they have represented, as they've launched a decryption service here:

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28294767.html#a39651228
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now