Improve company productivity with a Business Account.Sign Up

x
?
Solved

CryptoLocker

Posted on 2014-04-08
19
Medium Priority
?
395 Views
Last Modified: 2014-08-06
One of our laptop got infected by crptolocker. Is it possible to decrypt files encrypted by CryptoLocker?

Any tools or process?

Thanks
0
Comment
Question by:usuth
  • 4
  • 4
  • 3
  • +5
17 Comments
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 500 total points
ID: 39986872
We just had another posting regarding CryptoLocker. The only known solution is to restore from a backup.

Other than that, the only option is paying the ransom, getting your data back and then we always suggest reformatting that system to make sure it's clean again.

http://www.experts-exchange.com/Software/Office_Productivity/Q_28405888.html
0
 
LVL 59

Assisted Solution

by:Joe Winograd, Fellow&MVE
Joe Winograd, Fellow&MVE earned 500 total points
ID: 39986896
0
 
LVL 64

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 500 total points
ID: 39986941
Afraid the answer is no -  once the ransom page is displayed the encryption process is complete. You then have until the timer expires to pay the ransom which is the only current way to decrypt.  Because payment is now in Bitcoin it is a pretty big amount to pay.

Outside that window the only recovery method is, as already described, to restore from a backup. The only tools available are preventative or to remove the active infection but there are no decryption tools.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 39986948
I won't repeat the bad news, but there is a way to recover files using Shadow Copies, if they are enabled and the info is buried in my blog about the virus:

http://alanhardisty.wordpress.com/tag/cryptolocker/

Look for the Bleeping Computer link.

Alan
0
 
LVL 59

Expert Comment

by:Joe Winograd, Fellow&MVE
ID: 39986983
Hi Alan,

Great blog entry about CryptoLocker! One thing I don't understand:
I user Rkill (iexplore.exe – I find this works more often that using rkill.exe) to highlight the random .exe file that is running...

I'm sure "user" is just a typo and should be "used", but I don't understand the comment that you "used Rkill" followed by the comment "iexplore.exe – I find this works more often that using rkill.exe", which seems to say that you did not use Rkill (rkill.exe). What am I missing here? Thanks, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987041
Hi Joe - thanks for the correction, duly made on my blog.  I seem to suffer from dyslexic fingers!

RKILL is the program I used to stop the running process, but RKILL comes in a variety of version and I find the iexplore.exe version works better.  It is essentially the same file with a different name.  Some viruses will stop .exe files from running but they won't stop iexplore.exe from running.

Does that make sense?

Alan
0
 
LVL 59

Expert Comment

by:Joe Winograd, Fellow&MVE
ID: 39987105
Ah, very clever! Makes perfect sense! Thanks for explaining.

These CryptoLocker criminals have been around a long time. I wonder why the authorities haven't tracked them down, prosecuted them, and put them out of business. There's a money trail from all the victims who pay the ransom...seems to me it shouldn't be difficult to follow the money...someone is picking it up! Any thoughts on why they haven't been found and stopped? Regards, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987156
I would imagine it's a problem to track down because it will involve numerous different countries, numerous different Police forces and no doubt they will have to gather evidence so that there is a watertight case against them before they even consider making any arrests.

The money will probably bounce around from account to account making it more difficult to trace but not impossible.

My blog points out that the folder containing the random exe file in was a good year before the virus hit my customer, so the potential is this one will keep appearing.

Having read about XP now probably being targeted because Microsoft aren't going to fix anything in it anymore and that there may be known exploits that have yet to be exploited fully until after tonight, there could be more fun to be had over the coming months!!

Alan
0
 
LVL 1

Expert Comment

by:Justin Alcorta
ID: 39987302
We had a client get this same ransonware.  So if you have good backups you just need to restore.  If you don't you have a time limit to pay the first price.  If you run out of time don't worry to much but you need to load the cryptolocker again.  Bleeping computer has good resources on what websites you can go to and pay to get the key.  Shady sites.  You now have to pay with BitCoin and it isn't cheap.  But once we paid the ransom they did de-encrypt all the files.  It took a couple of hours but it did work.  Good luck.
0
 
LVL 19

Expert Comment

by:deroode
ID: 39988246
The main reason that the cryptolocker ransom has to be payed in bitcoin is that it is impossible to track down to a particular user. Thus following the money trail isn't an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39988319
Crafty (expletive deleted) !
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40001376
Have we answered your question?
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40056337
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 59

Expert Comment

by:Joe Winograd, Fellow&MVE
ID: 40056338
I was just a bit player in this question and I'm not looking for any points, but I think there is enough information to confirm an answer. Based on the comments of experts with a proven track record (and point totals of 1.1, 6.6, and 10.7 million), the answer is that you need to get the files from an uninfected backup or pay the ransom — once your files are encrypted, there's no way to decrypt them. Based on experts whose opinions I trust (and on other threads here at EE), it seems to me that's the answer. Also, I think this question should not be deleted. Any other EE member infected with CryptoLocker would be well-served to find this thread in the PAQ. Regards, Joe
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40056361
I agree with Joe. This question was answered with the only proven solutions known. Pay ransom, restore from backup or perform a clean install. If the author doesn't recognize those options as solutions then the EE moderators should recognize it .

Divide points up and close the question!
0
 
LVL 64

Expert Comment

by:☠ MASQ ☠
ID: 40056467
Q has a Yes/No answer and the answer - unfortunately for the asker - is "No".  Suggest split things evenly over the first four comments.
0
 
LVL 66

Expert Comment

by:btan
ID: 40243970
For info on - FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

https://www.decryptcryptolocker.com/
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This tutorial shows a simple method of resetting a forgotten Windows 10 Password, on both a Physical and VM VirtualBox machine without the need for any third-party tools. Both Local and Microsoft Connected accounts are covered. Enjoy...
One thing I've always found frustrating is no matter how many times one asks the end users to not save things on their local machines, they do it anyway.  Forget that we don't back up the desktops - only the servers.  Well, let's sneak their data on…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question