Solved

Cryptolocker solutions?

Posted on 2013-10-23
12
631 Views
Last Modified: 2013-11-21
Does anybody have any up to date information on how to reverse the encryption caused by the Cryptolocker virus?  I understand it is a new virus and there isn't a ton of information but I was hoping something new has come along.  I was able to remove the virus from the PC but obviously the damage had already been done.  Any information would be greatly appreciated.
0
Comment
Question by:Marcus_nt
  • 5
  • 3
  • 2
12 Comments
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 39594957
This has heavily been discussed on mailing lists and ThirdTier/SMB Kitchen crew has put together a free packet for prevention because unencryption is not likely nor fast given how it affects things.  Restore from backup is your best option and you can try implementing the group policies that help prevent it.  Reference http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39606469
0
 

Author Comment

by:Marcus_nt
ID: 39606783
My main hope from this post is to see if it is possible to reinduce the virus or somehow reverse the encryption, we do not have a backup for this specific computer.  We've tried reopening any questionable email attachments and going to every site in the browsing history leading up to the time of infection but having no luck.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39606798
If there were an "easy" way to decrypt the data, I would expect the antivirus tools available would be implementing it.  

It's a hard lesson... but one people should learn - backup.
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 250 total points
ID: 39606853
@Marcus_nt, this specific malware uses both RSA (public-key, asymmetric) and AES (private-key, symmetric) encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user (or in this case malware author) and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses a unique AES key for every file to encrypt.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.   It's a proper hybrid encryption implementation.

In other words, even if one key was found via brute force or by reverse engineering the decryption process, that AES key would only work for that individual file, and the RSA private-key would only work for that individual system.

This private key was never transmitted to your environment, nor was it ever stored in the malware binary itself.  It was only stored on a remote command and control (C&C) server for a limited period of time and then destroyed.  Why was it destroyed?  Likely to prevent mass decryption capability in the event the server is seized.

What your seeing is the proper implementation of both asymmetric and symmetric encryption.  The same encryption used to secure state secrets.

Your only choices (data recovery aside) is 1) provide the private key, assuming it hasn't been destroyed--  that means pay the ransom, or 2) brute-force the private key.  To brute force a 2048-RSA unique private key would theoretically take a lifetime.  As distributed super computing power increases (per Moore's law), you may be able to rent something to do the job around year 2032.

Sorry, no joy.  My posts above were intended to show how this could have been prevented in the first place.  Unfortunately, the solution cannot be retroactively applied.

What you're probably thinking of is symmetric (private-key) encryption.  In this case there is one key used to encrypt and decrypt.  Hence, the key must be stored in, or otherwise made accessible to, a given piece of malware in order to encrypt the files.  In this case, if the key can be obtained, decryption is possible.  Unfortunately Cryptolocker uses a hybrid of both public-key and private-key encryption (RSA and AES) and no such exploitable condition exist.

I know it's not the magic pill you'll looking for.  It is reality, nonetheless.

BTW, reintroducing the malware will only add an additional layer of encryption over the existing layer, using both a new public/private RSA key pair and a new AES private key.  If you then pay the ransom, only the new layer will be removed, effectively leaving your system in it's current encrypted state.  You need the private key generated during the original infection.  If you allowed the timeout to expire you and the key was destroyed, you're out of luck.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:Marcus_nt
ID: 39625938
I've requested that this question be deleted for the following reason:

lkfjldjkf;
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39625845
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39625939
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 

Author Comment

by:Marcus_nt
ID: 39663894
I've requested that this question be deleted for the following reason:

other than offering preventative solutions going forward, the issue can't be fixed
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39666482
@SouthMod: Thank you.

@Marcus_nt: Apparently the malware author(s) are not destroying keys within the timeframe they have represented, as they've launched a decryption service here:

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28294767.html#a39651228
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager is not included in Office 2013. This comes as a shock to users upgrading from earlier versions of Office, such as 2007 and 2010, where Picture Manager was included as a standard application. This article explains how…
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now