Cryptolocker

CryptoLockerInitialScreenRecently I have been dealing with a Cryptolocker infection at work  that has taken out our shared network files twice now and this latest infection is by far the worst one I have seen so far since our backups haven’t been getting done correctly due an configuration error for NTFS permissions on the shares.

Those who don’t know, Cryptolocker is a new form of ransomware which encrypts a huge number of file types and then demands you pay $300 USD to decrypt your personal files. Full Details at Bleeping Computer.

Now since our backups at work have failed we were forced to pay the ransom to recover our files since it encrypted over 57,000 of them. After we paid the ransom it went to work and it decrypted all but 3,000 or so of the files.

Screenshots of Cryptolocker

Later a co-worker at work found a way to use the “Your Private Key.bin” file we got after paying ransom to decrypt the remaining files using a Python script called Cryptounlocker.

Crytounlocker Instructions

  • install python 3.3 – Download 
  • install the pycrypto module – Download
  • Download the Crypto-Unlocker script and extract it. – Download
  • Copy “Your Private Key.bin” into the root cryptounlocker folder and the encrypted files into the “Encrypted Files” folder under that.
  • Open a command line, type “python”, and it should show the correct version 3.3.3.
  • On the command line navigate to the cryptounlocker folder and type “python Crypto-Unlocker-V1.1.5-Run.py”.
  • Check the “Decrypted Files” folder for the results.

I’m hoping this is the last time I run into Cryptolocker but I somehow doubt this is the case as this Trojan is just getting spread around thicker and thicker as of recent.

Please comment below if you have anything to say about Cryptolocker or if these steps have helped you!

17 comments

  1. Hey I got infected by this thing…paid up and got a lot of file decrypt but the files on my wifi drive failed to decrypt. How do I go about decrypting the rest of my precious photos and other files that failed to decrypt because the mapped drives changed during the infection?

    where is the private key located???

    1. I am the author of Crypto-Unlocker. I included functionality to use exported registry keys as the private key in case you don’t have the “Your Private Key.bin”. There is a sample of a legitimate private key in registry key form and bin file form in a folder called “Example Private Keys”. These are private keys from my friend’s infection so they are good as examples, BUT THEY WILL NOT WORK FOR ANYONE OTHER THAN HIM. They are just to compare yours to so you can make sure you exported yours right.

      DO NOT ADD THOSE REGISTRY KEYS TO YOUR REGISTRY.
      If you do this they may overwrite your real private key in the registry and you’ll have to either do a system restore to get it back (you can also cut the power to the computer without shutting down properly since it wont have saved the registry yet) or upload a file to the virus author’s website for him to give you the key again, neither of which you want to do.

      To find the private key registry entry open a command prompt and type “regedit” and then go to this location: HKEY_CURRENT_USERSoftwareCryptoLocker_0388
      Export that as a registry key by clicking “File” and then “Export”

      You can then follow the instructions included with Crypto-Unlocker to finish the rest.

      Also, Matt, I would much appreciate it if you removed my e-mail address from this post. It’s not something I want to give out.

      1. Thanks for the reply to this post. Your e-mail address will not appear on my website so no worries about that one.

        If you have any new information about Cryptolocker please let me know and I will love to share it here if you let me or help you promote your great product.

        Thanks Matt

        1. Well there is one tidbit, there is a copycat going around that is written in an entirely different language than the original and my program will be of no use for infections from it. It uses a weaker RSA encryption scheme with a 1024bit key instead of 2048, but even nonetheless the highest RSA key that has been cracked so far was RSA 768.

          https://en.wikipedia.org/wiki/RSA_Factoring_Challenge

  2. where would the “Your Private Key.bin” file be located on my computer??? Really need help to get my files back…..thanks for posting this info!!! You know this virus is something else when someone from Alaska is hit!!!

  3. Our “Your Private Key.bin” file was found on the desktop of the infected computer. You might have to turn on hidden files to see it.

  4. exported key from registry. What is the Cryptounlocker root directory. I have python 3.3 installed and have it in the site-packages sub-directory.

  5. Copied the example key to test and it worked. I exported my registry entry for the cryptolocker and got the reg file. How do we create the bin file?

    1. You do not create the .bin file from the .reg file. You can use the .reg INSTEAD of the .bin. Just place the .reg in the root folder like you would with the .bin, but make sure that you do not have other private keys in the folder. The program will use the first one it finds in alphabetical order and if it finds the example one first it’ll use it. It wont use them if they’re in a subfolder though. Let us know if it worked for you.

  6. I don’t think you can simply “create” it. The company I work for got our bin file (which was saved to the desktop) after they paid the ransom to decrypt the machine and all the files that it encrypted.

  7. Can you please tell me if the program will work without the “private key” ?

    I am trying to help a friend to decrypt the files but he reinstalled the OS and saved the encypted files. Thank You

    1. Encryption has two parts. One part is the public key and the other part is the private keys. You need both parts to decrypt files.

      I don’t know of any way to do decryption with only one part of the keys. It’s kinda like trying to unlock a door or start your car with one half of your key, it doesn’t work.

  8. Moses
    I have the .reg and your private key.bin but some files like .mdb, solid works files and .xls files the script says that the files aren’t encrypted?
    what am I doing wrong? other files like pdf, word xlsx power point(2010 ) works
    any recomendations?
    Thanks.

    1. Someone else came to me with this same issue. He sent me a file to look at and see if I could figure out what was going on. I loaded it up in a hex editor and this is what it looked like for the majority of the file.

      http://i1151.photobucket.com/albums/o630/MosesofEgypt/example_zps3d71c2b8.png

      It contained a boatload of redundant data with a specific structure to it. This is NOT how cryptolocker’d files look, nor anything encrypted in general.

      Cryptolocker files are structured like so:

      first 20 bytes: SHA1 hash of AES key, used to verify file is cryptolocker’d
      next 256 bytes: AES key encrypted with RSA key
      rest of the file: original file encrypted with AES key(data is padded to the next multiple of 16 bytes)

      There is no visual organization to cryptolocker files since everything is supposed to look like random garbage. I’ve looked more closely at the file that was sent to me and I’ve noticed some human readable text so I know the file is absolutely not encrypted, but it might be edited in a way to make it normally unreadable.

      I’ll look into this more, but it’s safe to say that if my program says the file isn’t encrypted, it’s likely had something else done to it. Load the file up in a hex editor and see if it looks like random garbage or if you can find some kind of pattern to it.

      1. Thanks for your reply, Yes is not encrypted but the files were working before the virus so it seems that the after the virus some how the files were corrupted.
        Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *