Solved

CryptoLocker

Posted on 2014-04-08
19
370 Views
Last Modified: 2014-08-06
One of our laptop got infected by crptolocker. Is it possible to decrypt files encrypted by CryptoLocker?

Any tools or process?

Thanks
0
Comment
Question by:usuth
  • 4
  • 4
  • 3
  • +5
19 Comments
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 125 total points
ID: 39986872
We just had another posting regarding CryptoLocker. The only known solution is to restore from a backup.

Other than that, the only option is paying the ransom, getting your data back and then we always suggest reformatting that system to make sure it's clean again.

http://www.experts-exchange.com/Software/Office_Productivity/Q_28405888.html
0
 
LVL 51

Assisted Solution

by:Joe Winograd, EE MVE
Joe Winograd, EE MVE earned 125 total points
ID: 39986896
0
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 125 total points
ID: 39986941
Afraid the answer is no -  once the ransom page is displayed the encryption process is complete. You then have until the timer expires to pay the ransom which is the only current way to decrypt.  Because payment is now in Bitcoin it is a pretty big amount to pay.

Outside that window the only recovery method is, as already described, to restore from a backup. The only tools available are preventative or to remove the active infection but there are no decryption tools.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 125 total points
ID: 39986948
I won't repeat the bad news, but there is a way to recover files using Shadow Copies, if they are enabled and the info is buried in my blog about the virus:

http://alanhardisty.wordpress.com/tag/cryptolocker/

Look for the Bleeping Computer link.

Alan
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39986983
Hi Alan,

Great blog entry about CryptoLocker! One thing I don't understand:
I user Rkill (iexplore.exe – I find this works more often that using rkill.exe) to highlight the random .exe file that is running...

I'm sure "user" is just a typo and should be "used", but I don't understand the comment that you "used Rkill" followed by the comment "iexplore.exe – I find this works more often that using rkill.exe", which seems to say that you did not use Rkill (rkill.exe). What am I missing here? Thanks, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987041
Hi Joe - thanks for the correction, duly made on my blog.  I seem to suffer from dyslexic fingers!

RKILL is the program I used to stop the running process, but RKILL comes in a variety of version and I find the iexplore.exe version works better.  It is essentially the same file with a different name.  Some viruses will stop .exe files from running but they won't stop iexplore.exe from running.

Does that make sense?

Alan
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39987105
Ah, very clever! Makes perfect sense! Thanks for explaining.

These CryptoLocker criminals have been around a long time. I wonder why the authorities haven't tracked them down, prosecuted them, and put them out of business. There's a money trail from all the victims who pay the ransom...seems to me it shouldn't be difficult to follow the money...someone is picking it up! Any thoughts on why they haven't been found and stopped? Regards, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987156
I would imagine it's a problem to track down because it will involve numerous different countries, numerous different Police forces and no doubt they will have to gather evidence so that there is a watertight case against them before they even consider making any arrests.

The money will probably bounce around from account to account making it more difficult to trace but not impossible.

My blog points out that the folder containing the random exe file in was a good year before the virus hit my customer, so the potential is this one will keep appearing.

Having read about XP now probably being targeted because Microsoft aren't going to fix anything in it anymore and that there may be known exploits that have yet to be exploited fully until after tonight, there could be more fun to be had over the coming months!!

Alan
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Expert Comment

by:justind39
ID: 39987302
We had a client get this same ransonware.  So if you have good backups you just need to restore.  If you don't you have a time limit to pay the first price.  If you run out of time don't worry to much but you need to load the cryptolocker again.  Bleeping computer has good resources on what websites you can go to and pay to get the key.  Shady sites.  You now have to pay with BitCoin and it isn't cheap.  But once we paid the ransom they did de-encrypt all the files.  It took a couple of hours but it did work.  Good luck.
0
 
LVL 19

Expert Comment

by:deroode
ID: 39988246
The main reason that the cryptolocker ransom has to be payed in bitcoin is that it is impossible to track down to a particular user. Thus following the money trail isn't an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39988319
Crafty (expletive deleted) !
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40001376
Have we answered your question?
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40056337
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 40056338
I was just a bit player in this question and I'm not looking for any points, but I think there is enough information to confirm an answer. Based on the comments of experts with a proven track record (and point totals of 1.1, 6.6, and 10.7 million), the answer is that you need to get the files from an uninfected backup or pay the ransom — once your files are encrypted, there's no way to decrypt them. Based on experts whose opinions I trust (and on other threads here at EE), it seems to me that's the answer. Also, I think this question should not be deleted. Any other EE member infected with CryptoLocker would be well-served to find this thread in the PAQ. Regards, Joe
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40056361
I agree with Joe. This question was answered with the only proven solutions known. Pay ransom, restore from backup or perform a clean install. If the author doesn't recognize those options as solutions then the EE moderators should recognize it .

Divide points up and close the question!
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40056467
Q has a Yes/No answer and the answer - unfortunately for the asker - is "No".  Suggest split things evenly over the first four comments.
0
 
LVL 61

Expert Comment

by:btan
ID: 40243970
For info on - FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

https://www.decryptcryptolocker.com/
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now