CryptoLocker : Malware that encrypts all your data with an RSA 256 bit AES


Recommended Posts

I don't know if this still applies, but it is encouraging ...

 

The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

 

If you only have a single hard disk, just download the tool to your Desktop and run it. It will automatically scan your hard disk and decrypt the files it found to be infected without deleting the encrypted originals. You can then check the decrypted files if they open properly. Once you verified the files were decrypted properly you can delete the encrypted HTML files.

 

If you have more than one hard disks with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks you will have to pass the additional drives as a command line parameter:

  1. Press the R key while holding down your Windows key.
  2. Type in "cmd.exe" and press Enter.
  3. The Windows Command Line prompt should show up.
  4. You first need to switch into the directory where you downloaded the decryption tool to. This can be done using the cd command:

    cd /d "<path>"

    Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:

    cd /d "C:\Users\Administrator\Downloads"

    If you did everything right you will see that the command prompt changed slightly and now references the download directory.

  5. Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:

    decrypt_mblblock.exe C:\ D:\ E:\

    Please be patient while the tool is running.

The tool also features a few additional parameters, but unless you plan to automate the entire decryption process those are most likely not very interesting for you. If for some reason the tool fails to decrypt certain files on your system, please let me know and I will see if I can update the tool. If you have further questions or run into any unexpected problems, please let me know as well smile.png.

 

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

 

Sweet. Great to know, just downloaded the tool

 

On the downside, this will save peoples asses who have no backups, I say "downside" because people have to truly loose data before they get a clue and backup. (though in this cases backups might have got hit too, but it would have taught them about good offsite backups

Link to comment
Share on other sites

There is a version 2 of the tool:

 

You can also use a newer version of the tool that is a lot more easier to use for most people:

 

http://tmp.emsisoft.com/fw/decmblblock.exe

 

Under options you find the option to delete encrypted files after decryption. Please test whether or not files are decrypted properly first though. Easiest way is to just copy a few encrypted files into a dedicated folder and use the tool on that folder only and go through the decrypted files one by one. If the files were recovered properly, it should be save to enable the delete option and run the tool on your entire hard drive."

 

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-4

 

And a version 3:

 

The new version, that handles both the new variant as well as all older variants of the malware, is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

I verified that all sample files that people sent me are decrypted correctly. I still suggest everyone to test the decrypter on a small subset of files first to see if it works on your system as well. As always, if you come across any files that can't be decrypted properly, either post here or drop me an email (fw@emsisoft.com).

 

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-6

  • Like 2
Link to comment
Share on other sites

That's some scary crap! :  :s

 

Definitely starting a full offsite backup tonight! I do backup offsite all the time but those are incremental after the main one was done a while back. Doing a full backup NOW then copying that offsite as soon as I can.

Link to comment
Share on other sites

If any malware clinches you by the nuts, this does. I find it quite hilarious.

 

This should be picked up in no-time by AV software, I mean this is very high risk.

Link to comment
Share on other sites

if the malware has a "enter the key you received after the payment here" box, it's crackeable :) I usually spend some time cracking this kind of malware, like the winlocks ones and they are usually pretty lame :)

Link to comment
Share on other sites

How can they get away with this? Surely they would get arrested when lots of 300$ payments start flooding in?

Where's our wonderful FBI and NSA when you need them ?

 

They worry about much more unimportant crap than this.

Link to comment
Share on other sites

if the malware has a "enter the key you received after the payment here" box, it's crackeable :) I usually spend some time cracking this kind of malware, like the winlocks ones and they are usually pretty lame :)

 

This uses RSA and the keys are randomly generated and stored on there server, so it will be unique for every single PC. The private key is never transmitted across the network so you can't capture it in anyway. There is also no way to simply crack RSA.

Link to comment
Share on other sites

This uses RSA and the keys are randomly generated and stored on there server, so it will be unique for every single PC. The private key is never transmitted across the network so you can't capture it in anyway. There is also no way to simply crack RSA.

 

I was not talking about reversing the encryption in the files. See, usually this kind of malware has a textbox where you enter a PIN/code/serial/whatever that you should receive after you pay what they want. This key is used to unlock the files and usually in this kind of software, this key is not the same as the RSA one, is just a serial that triggers the decryption routine.

 

This very same serial can be cracked. That was my point.

Link to comment
Share on other sites

I was not talking about reversing the encryption in the files. See, usually this kind of malware has a textbox where you enter a PIN/code/serial/whatever that you should receive after you pay what they want. This key is used to unlock the files and usually in this kind of software, this key is not the same as the RSA one, is just a serial that triggers the decryption routine.

 

This very same serial can be cracked. That was my point.

 

One has to wonder why these programs even include a decryption routine that can be so easily cracked.

Link to comment
Share on other sites

One has to wonder why these programs even include a decryption routine that can be so easily cracked.

 

Because the average user will just pay them the money.

Link to comment
Share on other sites

No, but I mean. Why legitimately decrypt the files? Why not just run off with the money?

 

Because oddly enough word would get around that paying them does nothing.

Link to comment
Share on other sites

^ They are honest thieves. :shifty:

 

I shudder to think what would happen if a legitimate key was required to unlock the files. All it takes is one coder to be a bit more rigorous in his coding than these guys were, just for funsies. Off to do another off-site backup!

Link to comment
Share on other sites

  • 2 weeks later...

Hey guys, 

So my dads office was hit with this last week, it was actually transferred but an adjacent companies network. They share a space with my dads office. None of the malware programs that they have installed picked this up. We were able to remove the malware after several attempts, but now his entire server is encrypted. Does any one know if there has been a successful method to decrypt the files yet? He has backups but unfortunately the IT guy that had set up his server some how turned off back ups last November! 

Link to comment
Share on other sites

Perhaps now would be a good time to start doing full weekly backups with daily incrementals instead of doing full backups at the end of the month.

Link to comment
Share on other sites

Oh. How rude! Time to make all my network drives read-only! (technically all but 1 - RAID5 can deal with 1) I don't have any other way to practically deal with =P

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)

 

 

I hope this is a typo and that you didn't mean that you don't need to protect your storage from this as you have RAID-5?

Link to comment
Share on other sites

Already on that, I'm in the process of setting up Office 365 for them, so they can start backing up to the cloud as well. 

Hum already posted a link to an application to decrypt the files as well as instructions on how to use it, read the previous pages...

Link to comment
Share on other sites

Why is it always ?300, regardless of the malware? Has someone done a study that finds this to be the limit of what people would be willing to pay or something?

That looks like one nasty piece of programming. I've been putting off getting another external drive for backups for a while now, but this might be the point where I say, "I need to get back in to the habit." I've got nothing incredibly important, but I'd like to keep my photos, music and so on.

Link to comment
Share on other sites

Has anybody gotten the decrypter to work?? I have a major issue at the moment and the backups failed on Monday morning, the 23rd at 1:00 a.m. for the first time ever. I am attempting to pay these CROOKS but it is "authorizing payment"  and need to get my client up as soon as possible.The files are critical. I am willing to pay for the successful help!!

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.