Recently I have been dealing with a Cryptolocker infection at work that has taken out our shared network files twice now and this latest infection is by far the worst one I have seen so far since our backups haven’t been getting done correctly due an configuration error for NTFS permissions on the shares.
Those who don’t know, Cryptolocker is a new form of ransomware which encrypts a huge number of file types and then demands you pay $300 USD to decrypt your personal files. Full Details at Bleeping Computer.
Now since our backups at work have failed we were forced to pay the ransom to recover our files since it encrypted over 57,000 of them. After we paid the ransom it went to work and it decrypted all but 3,000 or so of the files.
Screenshots of Cryptolocker
Later a co-worker at work found a way to use the “Your Private Key.bin” file we got after paying ransom to decrypt the remaining files using a Python script called Cryptounlocker.
- install python 3.3 – Download
- install the pycrypto module – Download
- Download the Crypto-Unlocker script and extract it. – Download
- Copy “Your Private Key.bin” into the root cryptounlocker folder and the encrypted files into the “Encrypted Files” folder under that.
- Open a command line, type “python”, and it should show the correct version 3.3.3.
- On the command line navigate to the cryptounlocker folder and type “python Crypto-Unlocker-V1.1.5-Run.py”.
- Check the “Decrypted Files” folder for the results.
I’m hoping this is the last time I run into Cryptolocker but I somehow doubt this is the case as this Trojan is just getting spread around thicker and thicker as of recent.
Please comment below if you have anything to say about Cryptolocker or if these steps have helped you!