You probably remember Cryptolocker; a very nasty piece of ransomware that successfully encrypted files on many computers, and made its authors millions in ransom. If not, you can learn more about it here. Though it wasn’t horribly advanced, it did use industry standard public/private key encryption, making it almost impossible for good guys to actually crack the encryption and get your files back.
However, there’s some great news on that front!
This week, FireEye and Fox-IT published a site called decryptcryptolocker.com. If you share your email address, and one of your Cryptolocker infected files with this site, they will email you the private key and a tool that can decrypt all your Cryptolocker files. If you were one of the folks that didn’t have a good backup, you finally have an option to recover files other than just paying the criminals (never a good idea).
So how did FireEye and Fox-IT accomplish this? Essentially, by gaining control of, and taking down Cryptolocker’s command and control (C&C) infrastructure (where the criminals stored all their private keys). If you’d like to know more about it, I suggest checking out FireEye’s blog post.
This is awesome work, and hopefully a big relief to anyone that still has Cryptolocker infections. That said, there are many Cryptolocker copycats and variants. This takedown has gained access to a specific group’s C&C servers and keys, but not all ransomware variants. There is a chance this tool won’t decrypt the files for every Cryptolocker variant, and it surely won’t help with the copycats.
In any case, it’s great to see a score for the good guys.
— Corey Nachreiner, CISSP (@SecAdept)
RealDefense says
Reblogged this on RealDefense and commented:
Interesting development. I’m curious as to how many variants there were in the wild for this nasty piece of malware.
abswv says
OMG!!! This worked!! Thanks to the genius that figured this out!! I had backups of most of the files that we lost, but several critical files were still encrypted and downloading the one key, un-encrypted them all!! THANK YOU THANK YOU!!
Corey Nachreiner says
Yay! I’m so happy you got your files back. I was pretty worried before this that Cryptolocker would be a one-way thing…
scott wilson says
Are there any updates on the other variants? I have a hard drive that was hit and I am not able to recover the files using this recovery tool. It tells me the files are not encrypted by the virus.
Corey Nachreiner says
Scott,
Not that I’ve heard of. I was a bit worried about that. Technically, the Fireeye and other group found some Gameover Zeus servers, and they were associated with some Cryptolocker infections since that was one of the means it was distributed (though that botnet and others). But I doubted that it would represent all the CryptoLocker campaigns… Now, CryptoWall infections are also adding to the problem.
In any case, if I see any new news of authorities or good guys finding more Crytolocker (or other ransomware) private keys, I will be sure to share here to keep you informed.