• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Good News! You Might Get Your Cryptolocker Encrypted Files Back

August 7, 2014 By Corey Nachreiner

You probably remember Cryptolocker; a very nasty piece of ransomware that successfully encrypted files on many computers, and made its authors millions in ransom.  If not, you can learn more about it here. Though it wasn’t horribly advanced, it did use industry standard public/private key encryption, making it almost impossible for good guys to actually crack the encryption and get your files back.

However, there’s some great news on that front!

This week, FireEye and Fox-IT published a site called decryptcryptolocker.com. If you share your email address, and one of your Cryptolocker infected files with this site, they will email you the private key and a tool that can decrypt all your Cryptolocker files. If you were one of the folks that didn’t have a good backup, you finally have an option to recover files other than just paying the criminals (never a good idea).

So how did FireEye and Fox-IT accomplish this? Essentially, by gaining control of, and taking down Cryptolocker’s command and control (C&C) infrastructure (where the criminals stored all their private keys). If you’d like to know more about it, I suggest checking out FireEye’s blog post.

This is awesome work, and hopefully a big relief to anyone that still has Cryptolocker infections. That said, there are many Cryptolocker copycats and variants. This takedown has gained access to a specific group’s C&C servers and keys, but not all ransomware variants. There is a chance this tool won’t decrypt the files for every Cryptolocker variant, and it surely won’t help with the copycats.

In any case, it’s great to see a score for the good guys.

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Cryptolocker

Comments

  1. RealDefense says

    August 13, 2014 at 1:16 pm

    Reblogged this on RealDefense and commented:
    Interesting development. I’m curious as to how many variants there were in the wild for this nasty piece of malware.

    Reply
  2. abswv says

    August 14, 2014 at 9:32 am

    OMG!!! This worked!! Thanks to the genius that figured this out!! I had backups of most of the files that we lost, but several critical files were still encrypted and downloading the one key, un-encrypted them all!! THANK YOU THANK YOU!!

    Reply
    • Corey Nachreiner says

      August 14, 2014 at 2:16 pm

      Yay! I’m so happy you got your files back. I was pretty worried before this that Cryptolocker would be a one-way thing…

      Reply
  3. scott wilson says

    September 26, 2014 at 8:28 am

    Are there any updates on the other variants? I have a hard drive that was hit and I am not able to recover the files using this recovery tool. It tells me the files are not encrypted by the virus.

    Reply
    • Corey Nachreiner says

      September 29, 2014 at 2:37 pm

      Scott,

      Not that I’ve heard of. I was a bit worried about that. Technically, the Fireeye and other group found some Gameover Zeus servers, and they were associated with some Cryptolocker infections since that was one of the means it was distributed (though that botnet and others). But I doubted that it would represent all the CryptoLocker campaigns… Now, CryptoWall infections are also adding to the problem.

      In any case, if I see any new news of authorities or good guys finding more Crytolocker (or other ransomware) private keys, I will be sure to share here to keep you informed.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use