CryptoLocker malware has been cracked, victims able to decrypt their files for free

2013 saw the introduction of an extremely annoying piece of ransomware called CryptoLocker that was fairly original in its implementation. Ransomware would typically lock a victim's computer, demanding that they pay a fee in order to unlock the machine, however CryptoLocker was different.

CryptoLocker would encrypt the files on the victim's storage using AES-256 bit encryption and demand about $300 in bitcoin in order to retrieve the decryption key. If the victim didn't pay within a specified time, then the victim's files would remain encrypted forever. Well, until a couple of days ago, at least.

Computer security experts and researchers from the firms Fox-IT and FireEye have collaborated to reverse engineer the CryptoLocker software in a project they called "Operation Tovar." The collaboration between the two has led to the identification of many of the private keys used by CryptoLocker, and they have subsequently developed a free decryption assistance website and tool to help victims of the ransomware retrieve their data at no cost.

The site requires the user to upload any file that has been affected by the ransomware (they specify that they will not store or view the file), and the tool will email the user the relevant private key that can be used for decryption. At that point the user must download a specific tool, enter the private key and the location of the encrypted file, and the tool will decrypt the encrypted file.

Although the software unlocks the original CryptoLocker malware, the researchers at FireEye point out that there are deviations and copycats of CryptoLocker that they would not be able to unlock. One of these deviations has been recently discovered to infect Synology NAS devices, however there is no indication of whether or not this decryption tool would be able to help victims of the new deviation. Unfortunately, the only avenue available for victims of the ransomware would be to pay the ransom or suffer having their files permanently encrypted.

The decryption assistance website can be accessed here.

Source: FireEye | Images via FireEye

Report a problem with article
Previous Story

Man sues Sony over underwhelming game graphics in Killzone: Shadow Fall

Next Story

Microsoft announces Xbox One Digital TV Tuner for European markets

20 Comments

Commenting is disabled on this article.

Yes - backups, snapshots, volume shadow copy, and preventing apps from running under the user profile folder are all ways of effectively protecting yourself.

Probably.. it's big money for them and there's plenty of people who even after years of warnings will run anything and everything without a care in the world.

Hello,

This service is for people who were infected by older versions. Essentially, FireEye and Fox-IT got a data dump of the private keys from the criminals behind this. It is certainly not complete and won't help everyone, but for those people who were affected by this particular version of CryptoLocker and don't have backups of those files, it's a giant stroke of luck.

Regards,

Aryeh Goretsky

Yes let me upload all the sensitive files that were infected and deemed ransom worthy up to someone's private server and trust this guy because instead of $300, he'll do it free.

Oh that's right, he promises not to do anything with the files. Okay then!

21st century, good guys and bad look alike!

Why don't they make an offline executable?


The collaboration between the two has led to the identification of many of the private keys used by CryptoLocker

This implies they somehow managed to break the encryption to get the keys. What really happened is they managed to get a hold of one of the command and control servers used by the group, and were able to obtain a cache of private keys from it.

Sly_Ripper said,
No one's forcing you to use it, keep your encrypted files.

That goes without saying.

Are they really helping? the reason a lot of people become infected is due to trusting too naively. Either they reveal too much or trust an executable too easily.

These researchers are establishing a poor precedent; we'll help you but trust us with your file.

People will never learn this way. Better safe than sorry and pay the ransom, because at least you know the conviction of the other party.

Fulcrum said,

That goes without saying.

Are they really helping? the reason a lot of people become infected is due to trusting too naively. Either they reveal too much or trust an executable too easily.

These researchers are establishing a poor precedent; we'll help you but trust us with your file.

People will never learn this way. Better safe than sorry and pay the ransom, because at least you know the conviction of the other party.


To be fair, it's unlikely that every file that gets encrypted will be important to you, you can upload some random encrypted file without risking your data.

And if not, then you either have backups, pay up, or are just screwed. This service officers another option.

Also, they probably don't want to make a file that can be downloaded, that will tell the hackers which keys are been compromised. This way it's all done one by one.

Fulcrum said,

People will never learn this way. Better safe than sorry and pay the ransom, because at least you know the conviction of the other party.

?

They specifically ask you not to upload a confidential file-- just upload autoplay.inf or some obscure DLL.

Hello,

You just need to upload *one* file to the service. Given the number of data files that Win32/CryptoLocker targeted, it is more than likely victims have at least one file that does not contain any personally-identifiable information.

Also, this service is being offered by FireEye and Fox-IT, two well-known firms in the computer security industry. They are hardly unknown and certainly not "fly by night" operations.

As for why they don't offer a downloadable tool, it is probably because the dataset is (1) too large (likely in the gigabyte range); and (2) requires a respectable number of servers to run, in order to return results within a few hours. This is not the kind of operation you run on a desktop-grade system if you want your results back anytime soon.

Regards,

Aryeh Goretsky

Fulcrum said,
Yes let me upload all the sensitive files that were infected and deemed ransom worthy up to someone's private server and trust this guy because instead of $300, he'll do it free.

Oh that's right, he promises not to do anything with the files. Okay then!

21st century, good guys and bad look alike!

Why don't they make an offline executable?