Solved

Cryptolocker solutions?

Posted on 2013-10-23
12
665 Views
Last Modified: 2013-11-21
Does anybody have any up to date information on how to reverse the encryption caused by the Cryptolocker virus?  I understand it is a new virus and there isn't a ton of information but I was hoping something new has come along.  I was able to remove the virus from the PC but obviously the damage had already been done.  Any information would be greatly appreciated.
0
Comment
Question by:Marcus_nt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
12 Comments
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 250 total points
ID: 39594957
This has heavily been discussed on mailing lists and ThirdTier/SMB Kitchen crew has put together a free packet for prevention because unencryption is not likely nor fast given how it affects things.  Restore from backup is your best option and you can try implementing the group policies that help prevent it.  Reference http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39606469
0
 

Author Comment

by:Marcus_nt
ID: 39606783
My main hope from this post is to see if it is possible to reinduce the virus or somehow reverse the encryption, we do not have a backup for this specific computer.  We've tried reopening any questionable email attachments and going to every site in the browsing history leading up to the time of infection but having no luck.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39606798
If there were an "easy" way to decrypt the data, I would expect the antivirus tools available would be implementing it.  

It's a hard lesson... but one people should learn - backup.
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 250 total points
ID: 39606853
@Marcus_nt, this specific malware uses both RSA (public-key, asymmetric) and AES (private-key, symmetric) encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user (or in this case malware author) and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses a unique AES key for every file to encrypt.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.   It's a proper hybrid encryption implementation.

In other words, even if one key was found via brute force or by reverse engineering the decryption process, that AES key would only work for that individual file, and the RSA private-key would only work for that individual system.

This private key was never transmitted to your environment, nor was it ever stored in the malware binary itself.  It was only stored on a remote command and control (C&C) server for a limited period of time and then destroyed.  Why was it destroyed?  Likely to prevent mass decryption capability in the event the server is seized.

What your seeing is the proper implementation of both asymmetric and symmetric encryption.  The same encryption used to secure state secrets.

Your only choices (data recovery aside) is 1) provide the private key, assuming it hasn't been destroyed--  that means pay the ransom, or 2) brute-force the private key.  To brute force a 2048-RSA unique private key would theoretically take a lifetime.  As distributed super computing power increases (per Moore's law), you may be able to rent something to do the job around year 2032.

Sorry, no joy.  My posts above were intended to show how this could have been prevented in the first place.  Unfortunately, the solution cannot be retroactively applied.

What you're probably thinking of is symmetric (private-key) encryption.  In this case there is one key used to encrypt and decrypt.  Hence, the key must be stored in, or otherwise made accessible to, a given piece of malware in order to encrypt the files.  In this case, if the key can be obtained, decryption is possible.  Unfortunately Cryptolocker uses a hybrid of both public-key and private-key encryption (RSA and AES) and no such exploitable condition exist.

I know it's not the magic pill you'll looking for.  It is reality, nonetheless.

BTW, reintroducing the malware will only add an additional layer of encryption over the existing layer, using both a new public/private RSA key pair and a new AES private key.  If you then pay the ransom, only the new layer will be removed, effectively leaving your system in it's current encrypted state.  You need the private key generated during the original infection.  If you allowed the timeout to expire you and the key was destroyed, you're out of luck.
0
 

Author Comment

by:Marcus_nt
ID: 39625938
I've requested that this question be deleted for the following reason:

lkfjldjkf;
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39625845
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39625939
ID: 39606853 is a thorough explanation and should be made available to the public, or at least EE subscribers, for future searches and reference.
0
 

Author Comment

by:Marcus_nt
ID: 39663894
I've requested that this question be deleted for the following reason:

other than offering preventative solutions going forward, the issue can't be fixed
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39666482
@SouthMod: Thank you.

@Marcus_nt: Apparently the malware author(s) are not destroying keys within the timeframe they have represented, as they've launched a decryption service here:

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28294767.html#a39651228
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question