Solved

Cryptolocker solutions?

Posted on 2013-10-23
12
622 Views
Last Modified: 2013-11-21
Does anybody have any up to date information on how to reverse the encryption caused by the Cryptolocker virus?  I understand it is a new virus and there isn't a ton of information but I was hoping something new has come along.  I was able to remove the virus from the PC but obviously the damage had already been done.  Any information would be greatly appreciated.
0
Comment
Question by:Marcus_nt
  • 5
  • 3
  • 2
12 Comments
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 39594957
This has heavily been discussed on mailing lists and ThirdTier/SMB Kitchen crew has put together a free packet for prevention because unencryption is not likely nor fast given how it affects things.  Restore from backup is your best option and you can try implementing the group policies that help prevent it.  Reference http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39606469
0
 

Author Comment

by:Marcus_nt
ID: 39606783
My main hope from this post is to see if it is possible to reinduce the virus or somehow reverse the encryption, we do not have a backup for this specific computer.  We've tried reopening any questionable email attachments and going to every site in the browsing history leading up to the time of infection but having no luck.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39606798
If there were an "easy" way to decrypt the data, I would expect the antivirus tools available would be implementing it.  

It's a hard lesson... but one people should learn - backup.
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 250 total points
ID: 39606853
@Marcus_nt, this specific malware uses both RSA (public-key, asymmetric) and AES (private-key, symmetric) encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user (or in this case malware author) and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses a unique AES key for every file to encrypt.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.   It's a proper hybrid encryption implementation.

In other words, even if one key was found via brute force or by reverse engineering the decryption process, that AES key would only work for that individual file, and the RSA private-key would only work for that individual system.

This private key was never transmitted to your environment, nor was it ever stored in the malware binary itself.  It was only stored on a remote command and control (C&C) server for a limited period of time and then destroyed.  Why was it destroyed?  Likely to prevent mass decryption capability in the event the server is seized.

What your seeing is the proper implementation of both asymmetric and symmetric encryption.  The same encryption used to secure state secrets.

Your only choices (data recovery aside) is 1) provide the private key, assuming it hasn't been destroyed--  that means pay the ransom, or 2) brute-force the private key.  To brute force a 2048-RSA unique private key would theoretically take a lifetime.  As distributed super computing power increases (per Moore's law), you may be able to rent something to do the job around year 2032.

Sorry, no joy.  My posts above were intended to show how this could have been prevented in the first place.  Unfortunately, the solution cannot be retroactively applied.

What you're probably thinking of is symmetric (private-key) encryption.  In this case there is one key used to encrypt and decrypt.  Hence, the key must be stored in, or otherwise made accessible to, a given piece of malware in order to encrypt the files.  In this case, if the key can be obtained, decryption is possible.  Unfortunately Cryptolocker uses a hybrid of both public-key and private-key encryption (RSA and AES) and no such exploitable condition exist.

I know it's not the magic pill you'll looking for.  It is reality, nonetheless.

BTW, reintroducing the malware will only add an additional layer of encryption over the existing layer, using both a new public/private RSA key pair and a new AES private key.  If you then pay the ransom, only the new layer will be removed, effectively leaving your system in it's current encrypted state.  You need the private key generated during the original infection.  If you allowed the timeout to expire you and the key was destroyed, you're out of luck.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Marcus_nt
ID: 39625938
I've requested that this question be deleted for the following reason:

lkfjldjkf;
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39625845
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39625939
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 

Author Comment

by:Marcus_nt
ID: 39663894
I've requested that this question be deleted for the following reason:

other than offering preventative solutions going forward, the issue can't be fixed
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39666482
@SouthMod: Thank you.

@Marcus_nt: Apparently the malware author(s) are not destroying keys within the timeframe they have represented, as they've launched a decryption service here:

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28294767.html#a39651228
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

My experience with Windows 10 over a one year period and suggestions for smooth operation
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now