You probably remember Cryptolocker; a very nasty piece of ransomware that successfully encrypted files on many computers, and made its authors millions in ransom. If not, you can learn more about it here. Though it wasn’t horribly advanced, it did use industry standard public/private key encryption, making it almost impossible for good guys to actually crack the encryption and get your files back.
However, there’s some great news on that front!
This week, FireEye and Fox-IT published a site called decryptcryptolocker.com. If you share your email address, and one of your Cryptolocker infected files with this site, they will email you the private key and a tool that can decrypt all your Cryptolocker files. If you were one of the folks that didn’t have a good backup, you finally have an option to recover files other than just paying the criminals (never a good idea).
So how did FireEye and Fox-IT accomplish this? Essentially, by gaining control of, and taking down Cryptolocker’s command and control (C&C) infrastructure (where the criminals stored all their private keys). If you’d like to know more about it, I suggest checking out FireEye’s blog post.
This is awesome work, and hopefully a big relief to anyone that still has Cryptolocker infections. That said, there are many Cryptolocker copycats and variants. This takedown has gained access to a specific group’s C&C servers and keys, but not all ransomware variants. There is a chance this tool won’t decrypt the files for every Cryptolocker variant, and it surely won’t help with the copycats.
In any case, it’s great to see a score for the good guys.