Solved

CryptoLocker

Posted on 2014-04-08
19
383 Views
Last Modified: 2014-08-06
One of our laptop got infected by crptolocker. Is it possible to decrypt files encrypted by CryptoLocker?

Any tools or process?

Thanks
0
Comment
Question by:usuth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +5
19 Comments
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 125 total points
ID: 39986872
We just had another posting regarding CryptoLocker. The only known solution is to restore from a backup.

Other than that, the only option is paying the ransom, getting your data back and then we always suggest reformatting that system to make sure it's clean again.

http://www.experts-exchange.com/Software/Office_Productivity/Q_28405888.html
0
 
LVL 54

Assisted Solution

by:Joe Winograd, EE MVE
Joe Winograd, EE MVE earned 125 total points
ID: 39986896
0
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 125 total points
ID: 39986941
Afraid the answer is no -  once the ransom page is displayed the encryption process is complete. You then have until the timer expires to pay the ransom which is the only current way to decrypt.  Because payment is now in Bitcoin it is a pretty big amount to pay.

Outside that window the only recovery method is, as already described, to restore from a backup. The only tools available are preventative or to remove the active infection but there are no decryption tools.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 125 total points
ID: 39986948
I won't repeat the bad news, but there is a way to recover files using Shadow Copies, if they are enabled and the info is buried in my blog about the virus:

http://alanhardisty.wordpress.com/tag/cryptolocker/

Look for the Bleeping Computer link.

Alan
0
 
LVL 54

Expert Comment

by:Joe Winograd, EE MVE
ID: 39986983
Hi Alan,

Great blog entry about CryptoLocker! One thing I don't understand:
I user Rkill (iexplore.exe – I find this works more often that using rkill.exe) to highlight the random .exe file that is running...

I'm sure "user" is just a typo and should be "used", but I don't understand the comment that you "used Rkill" followed by the comment "iexplore.exe – I find this works more often that using rkill.exe", which seems to say that you did not use Rkill (rkill.exe). What am I missing here? Thanks, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987041
Hi Joe - thanks for the correction, duly made on my blog.  I seem to suffer from dyslexic fingers!

RKILL is the program I used to stop the running process, but RKILL comes in a variety of version and I find the iexplore.exe version works better.  It is essentially the same file with a different name.  Some viruses will stop .exe files from running but they won't stop iexplore.exe from running.

Does that make sense?

Alan
0
 
LVL 54

Expert Comment

by:Joe Winograd, EE MVE
ID: 39987105
Ah, very clever! Makes perfect sense! Thanks for explaining.

These CryptoLocker criminals have been around a long time. I wonder why the authorities haven't tracked them down, prosecuted them, and put them out of business. There's a money trail from all the victims who pay the ransom...seems to me it shouldn't be difficult to follow the money...someone is picking it up! Any thoughts on why they haven't been found and stopped? Regards, Joe
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39987156
I would imagine it's a problem to track down because it will involve numerous different countries, numerous different Police forces and no doubt they will have to gather evidence so that there is a watertight case against them before they even consider making any arrests.

The money will probably bounce around from account to account making it more difficult to trace but not impossible.

My blog points out that the folder containing the random exe file in was a good year before the virus hit my customer, so the potential is this one will keep appearing.

Having read about XP now probably being targeted because Microsoft aren't going to fix anything in it anymore and that there may be known exploits that have yet to be exploited fully until after tonight, there could be more fun to be had over the coming months!!

Alan
0
 
LVL 1

Expert Comment

by:justind39
ID: 39987302
We had a client get this same ransonware.  So if you have good backups you just need to restore.  If you don't you have a time limit to pay the first price.  If you run out of time don't worry to much but you need to load the cryptolocker again.  Bleeping computer has good resources on what websites you can go to and pay to get the key.  Shady sites.  You now have to pay with BitCoin and it isn't cheap.  But once we paid the ransom they did de-encrypt all the files.  It took a couple of hours but it did work.  Good luck.
0
 
LVL 19

Expert Comment

by:deroode
ID: 39988246
The main reason that the cryptolocker ransom has to be payed in bitcoin is that it is impossible to track down to a particular user. Thus following the money trail isn't an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39988319
Crafty (expletive deleted) !
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40001376
Have we answered your question?
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40056337
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 54

Expert Comment

by:Joe Winograd, EE MVE
ID: 40056338
I was just a bit player in this question and I'm not looking for any points, but I think there is enough information to confirm an answer. Based on the comments of experts with a proven track record (and point totals of 1.1, 6.6, and 10.7 million), the answer is that you need to get the files from an uninfected backup or pay the ransom — once your files are encrypted, there's no way to decrypt them. Based on experts whose opinions I trust (and on other threads here at EE), it seems to me that's the answer. Also, I think this question should not be deleted. Any other EE member infected with CryptoLocker would be well-served to find this thread in the PAQ. Regards, Joe
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40056361
I agree with Joe. This question was answered with the only proven solutions known. Pay ransom, restore from backup or perform a clean install. If the author doesn't recognize those options as solutions then the EE moderators should recognize it .

Divide points up and close the question!
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40056467
Q has a Yes/No answer and the answer - unfortunately for the asker - is "No".  Suggest split things evenly over the first four comments.
0
 
LVL 63

Expert Comment

by:btan
ID: 40243970
For info on - FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

https://www.decryptcryptolocker.com/
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
Configuring Remote Assistance for use with SCCM
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question