Solved

CryptoLocker

Posted on 2014-04-08
19
375 Views
Last Modified: 2014-08-06
One of our laptop got infected by crptolocker. Is it possible to decrypt files encrypted by CryptoLocker?

Any tools or process?

Thanks
0
Comment
Question by:usuth
  • 4
  • 4
  • 3
  • +5
19 Comments
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 125 total points
ID: 39986872
We just had another posting regarding CryptoLocker. The only known solution is to restore from a backup.

Other than that, the only option is paying the ransom, getting your data back and then we always suggest reformatting that system to make sure it's clean again.

http://www.experts-exchange.com/Software/Office_Productivity/Q_28405888.html
0
 
LVL 52

Assisted Solution

by:Joe Winograd, EE MVE
Joe Winograd, EE MVE earned 125 total points
ID: 39986896
0
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 125 total points
ID: 39986941
Afraid the answer is no -  once the ransom page is displayed the encryption process is complete. You then have until the timer expires to pay the ransom which is the only current way to decrypt.  Because payment is now in Bitcoin it is a pretty big amount to pay.

Outside that window the only recovery method is, as already described, to restore from a backup. The only tools available are preventative or to remove the active infection but there are no decryption tools.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 125 total points
ID: 39986948
I won't repeat the bad news, but there is a way to recover files using Shadow Copies, if they are enabled and the info is buried in my blog about the virus:

http://alanhardisty.wordpress.com/tag/cryptolocker/

Look for the Bleeping Computer link.

Alan
0
 
LVL 52

Expert Comment

by:Joe Winograd, EE MVE
ID: 39986983
Hi Alan,

Great blog entry about CryptoLocker! One thing I don't understand:
I user Rkill (iexplore.exe – I find this works more often that using rkill.exe) to highlight the random .exe file that is running...

I'm sure "user" is just a typo and should be "used", but I don't understand the comment that you "used Rkill" followed by the comment "iexplore.exe – I find this works more often that using rkill.exe", which seems to say that you did not use Rkill (rkill.exe). What am I missing here? Thanks, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987041
Hi Joe - thanks for the correction, duly made on my blog.  I seem to suffer from dyslexic fingers!

RKILL is the program I used to stop the running process, but RKILL comes in a variety of version and I find the iexplore.exe version works better.  It is essentially the same file with a different name.  Some viruses will stop .exe files from running but they won't stop iexplore.exe from running.

Does that make sense?

Alan
0
 
LVL 52

Expert Comment

by:Joe Winograd, EE MVE
ID: 39987105
Ah, very clever! Makes perfect sense! Thanks for explaining.

These CryptoLocker criminals have been around a long time. I wonder why the authorities haven't tracked them down, prosecuted them, and put them out of business. There's a money trail from all the victims who pay the ransom...seems to me it shouldn't be difficult to follow the money...someone is picking it up! Any thoughts on why they haven't been found and stopped? Regards, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987156
I would imagine it's a problem to track down because it will involve numerous different countries, numerous different Police forces and no doubt they will have to gather evidence so that there is a watertight case against them before they even consider making any arrests.

The money will probably bounce around from account to account making it more difficult to trace but not impossible.

My blog points out that the folder containing the random exe file in was a good year before the virus hit my customer, so the potential is this one will keep appearing.

Having read about XP now probably being targeted because Microsoft aren't going to fix anything in it anymore and that there may be known exploits that have yet to be exploited fully until after tonight, there could be more fun to be had over the coming months!!

Alan
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 1

Expert Comment

by:justind39
ID: 39987302
We had a client get this same ransonware.  So if you have good backups you just need to restore.  If you don't you have a time limit to pay the first price.  If you run out of time don't worry to much but you need to load the cryptolocker again.  Bleeping computer has good resources on what websites you can go to and pay to get the key.  Shady sites.  You now have to pay with BitCoin and it isn't cheap.  But once we paid the ransom they did de-encrypt all the files.  It took a couple of hours but it did work.  Good luck.
0
 
LVL 19

Expert Comment

by:deroode
ID: 39988246
The main reason that the cryptolocker ransom has to be payed in bitcoin is that it is impossible to track down to a particular user. Thus following the money trail isn't an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39988319
Crafty (expletive deleted) !
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40001376
Have we answered your question?
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40056337
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 52

Expert Comment

by:Joe Winograd, EE MVE
ID: 40056338
I was just a bit player in this question and I'm not looking for any points, but I think there is enough information to confirm an answer. Based on the comments of experts with a proven track record (and point totals of 1.1, 6.6, and 10.7 million), the answer is that you need to get the files from an uninfected backup or pay the ransom — once your files are encrypted, there's no way to decrypt them. Based on experts whose opinions I trust (and on other threads here at EE), it seems to me that's the answer. Also, I think this question should not be deleted. Any other EE member infected with CryptoLocker would be well-served to find this thread in the PAQ. Regards, Joe
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40056361
I agree with Joe. This question was answered with the only proven solutions known. Pay ransom, restore from backup or perform a clean install. If the author doesn't recognize those options as solutions then the EE moderators should recognize it .

Divide points up and close the question!
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40056467
Q has a Yes/No answer and the answer - unfortunately for the asker - is "No".  Suggest split things evenly over the first four comments.
0
 
LVL 62

Expert Comment

by:btan
ID: 40243970
For info on - FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

https://www.decryptcryptolocker.com/
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now