Posted on by Robert Longworth
Not so long ago CryptoLocker victims had to pay a hefty fee to get the keys to decrypt their encrypted files. Recently, law enforcement agencies and security companies, FireEye and Fox-IT, seized a worldwide network of hijacked computers that was being used to spread both CryptoLocker and another strain of malware known as Gameover Zeus. With control over part of the network police forces and security firms were able to ascertain a copy of the database holding all encryption keys as it was in transit over the network.
All 500,000 victims of CryptoLocker can now freely recover their encrypted files encrypted without paying a ransom, thanks to FireEye and Fox-IT who have partnered to provide these keys on their Online Portal
A user must firstly provide an email address and upload a sample of one of their encrypted files to the portal. The corresponding master decryption key will be issued to the email address provided previously by the user, along with a download link to the recovery program that can be used together with the master decryption key to repair all encrypted files on your system.
Note: I may have just been unlucky, the first file I provided an image saved in the JPG format failed to result in a key, however the second file provided, a PDF file, did resolve in finding the key which worked decrypted all encrypted files including the JPG previously submitted which failed to find a key.
The master decryption key provided will decrypt any of the users files encrypted by CryptoLocker, from the same system as that of the sample issued by the user previously in the Online Portal.
This in itself is fantastic work by these security researchers, however a little snag with the tool provided is that each file must be decrypted one file at a time. With the aid of Command Prompt and Notepad++, no doubt other text editors will be able to produce the same results, we can write a small BAT file to decrypt all the files encrypted on your system.
The first part is for us to create a BAT file which contains a list of all the encrypted files, this doesn’t matter if the folder contains files already unencrypted these will simply be ignored.
Go into your command prompt and type one of the following, altering the options as desired:
To produce a list of all your files:
dir "C:\Users\Test\EncryptedFilesFolder" /b /s > "C:\Users\Test\EncryptedFiles.bat"
or to produce a list of only certain file types, such as PDF’s:
dir "C:\Users\Test\EncryptedFilesFolder" /b /s *.pdf > "C:\Users\Test\EncryptedPDFs.bat"
This will produce a BAT file listing all the files, or those of the select file types, which we can now edit using Notepad++ find and replace function to create a BAT to decrypt our files.
Open the BAT file in Notepad++ and open the find and replace function, this can be found in Notepad++ by pressing the CTRL + H shortcut.
Now we are going to start by placing the decrypt command at the start of each line to decrypt each file, followed by a closing quotation mark at the end of each line.
Make sure your find and replace function is in Regular Expression – Search Mode:
replace:echo Yes|C:\Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- !KEY HERE! -----END RSA PRIVATE KEY----- " "
Now the closing quotation mark:
Each resulting line should look something like:
Yes|C:\Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- !KEY
HERE! -----END RSA PRIVATE KEY----- " "C:\EncryptedFile.pdf"
Finally run your custom BAT file, you should see this run through each file, it may take a few minutes to run depending upon how many files are in your list.