Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 388
  • Last Modified:

CryptoLocker

One of our laptop got infected by crptolocker. Is it possible to decrypt files encrypted by CryptoLocker?

Any tools or process?

Thanks
0
usuth
Asked:
usuth
  • 4
  • 4
  • 3
  • +5
4 Solutions
 
Tony GiangrecoCommented:
We just had another posting regarding CryptoLocker. The only known solution is to restore from a backup.

Other than that, the only option is paying the ransom, getting your data back and then we always suggest reformatting that system to make sure it's clean again.

http://www.experts-exchange.com/Software/Office_Productivity/Q_28405888.html
0
 
☠ MASQ ☠Commented:
Afraid the answer is no -  once the ransom page is displayed the encryption process is complete. You then have until the timer expires to pay the ransom which is the only current way to decrypt.  Because payment is now in Bitcoin it is a pretty big amount to pay.

Outside that window the only recovery method is, as already described, to restore from a backup. The only tools available are preventative or to remove the active infection but there are no decryption tools.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Alan HardistyCommented:
I won't repeat the bad news, but there is a way to recover files using Shadow Copies, if they are enabled and the info is buried in my blog about the virus:

http://alanhardisty.wordpress.com/tag/cryptolocker/

Look for the Bleeping Computer link.

Alan
0
 
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
Hi Alan,

Great blog entry about CryptoLocker! One thing I don't understand:
I user Rkill (iexplore.exe – I find this works more often that using rkill.exe) to highlight the random .exe file that is running...

I'm sure "user" is just a typo and should be "used", but I don't understand the comment that you "used Rkill" followed by the comment "iexplore.exe – I find this works more often that using rkill.exe", which seems to say that you did not use Rkill (rkill.exe). What am I missing here? Thanks, Joe
0
 
Alan HardistyCommented:
Hi Joe - thanks for the correction, duly made on my blog.  I seem to suffer from dyslexic fingers!

RKILL is the program I used to stop the running process, but RKILL comes in a variety of version and I find the iexplore.exe version works better.  It is essentially the same file with a different name.  Some viruses will stop .exe files from running but they won't stop iexplore.exe from running.

Does that make sense?

Alan
0
 
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
Ah, very clever! Makes perfect sense! Thanks for explaining.

These CryptoLocker criminals have been around a long time. I wonder why the authorities haven't tracked them down, prosecuted them, and put them out of business. There's a money trail from all the victims who pay the ransom...seems to me it shouldn't be difficult to follow the money...someone is picking it up! Any thoughts on why they haven't been found and stopped? Regards, Joe
0
 
Alan HardistyCommented:
I would imagine it's a problem to track down because it will involve numerous different countries, numerous different Police forces and no doubt they will have to gather evidence so that there is a watertight case against them before they even consider making any arrests.

The money will probably bounce around from account to account making it more difficult to trace but not impossible.

My blog points out that the folder containing the random exe file in was a good year before the virus hit my customer, so the potential is this one will keep appearing.

Having read about XP now probably being targeted because Microsoft aren't going to fix anything in it anymore and that there may be known exploits that have yet to be exploited fully until after tonight, there could be more fun to be had over the coming months!!

Alan
0
 
Justin AlcortaEnterprise Systems AnalystCommented:
We had a client get this same ransonware.  So if you have good backups you just need to restore.  If you don't you have a time limit to pay the first price.  If you run out of time don't worry to much but you need to load the cryptolocker again.  Bleeping computer has good resources on what websites you can go to and pay to get the key.  Shady sites.  You now have to pay with BitCoin and it isn't cheap.  But once we paid the ransom they did de-encrypt all the files.  It took a couple of hours but it did work.  Good luck.
0
 
deroodeCommented:
The main reason that the cryptolocker ransom has to be payed in bitcoin is that it is impossible to track down to a particular user. Thus following the money trail isn't an option.
0
 
Alan HardistyCommented:
Crafty (expletive deleted) !
0
 
Tony GiangrecoCommented:
Have we answered your question?
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
I was just a bit player in this question and I'm not looking for any points, but I think there is enough information to confirm an answer. Based on the comments of experts with a proven track record (and point totals of 1.1, 6.6, and 10.7 million), the answer is that you need to get the files from an uninfected backup or pay the ransom — once your files are encrypted, there's no way to decrypt them. Based on experts whose opinions I trust (and on other threads here at EE), it seems to me that's the answer. Also, I think this question should not be deleted. Any other EE member infected with CryptoLocker would be well-served to find this thread in the PAQ. Regards, Joe
0
 
Tony GiangrecoCommented:
I agree with Joe. This question was answered with the only proven solutions known. Pay ransom, restore from backup or perform a clean install. If the author doesn't recognize those options as solutions then the EE moderators should recognize it .

Divide points up and close the question!
0
 
☠ MASQ ☠Commented:
Q has a Yes/No answer and the answer - unfortunately for the asker - is "No".  Suggest split things evenly over the first four comments.
0
 
btanExec ConsultantCommented:
For info on - FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

https://www.decryptcryptolocker.com/
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now