How to Unlock Systems Infected by CryptoLocker Ransomeware

Unlock2By Ron Benvenisti for TLS: Referring to last week’s Brick Police article: If you’re computer has been compromised and you can no longer access important files go here:

For free keys designed to unlock systems infected by CryptoLocker

CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.

Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Payment of the ransom did not always lead to the files being decrypted.

In late May 2014 law enforcement agencies and security companies seized a network of hijacked computers used to spread both Cryptolocker and Gameover Zeus, in what was called “Operation Tovar”. The criminals attempted to send a copy of their database to a safe location, but it was intercepted by agencies already in control of part of the network. Russian Evgeniy Bogachev, aka “lucky12345” and “slavik”, was charged by the US FBI of being the ringleader of the gang behind Gameover Zeus and Cryptolocker. The database indicates the scale of the attack, and makes decryption of CryptoLocked files possible.

In August 2014 security firms involved in the shutdown, Fox-IT and FireEye, created a portal, called Decrypt Cryptolocker, which allows any of the 500,000 victims to find the key to unlock their files. Victims need to submit an encrypted file without sensitive information, which allows the unlockers to deduce which encryption key was used. It is possible that not all CryptoLocked files can be decrypted, nor files encrypted by different ransomware.

FireEye has over 2,200 customers across more than 60 countries, including over 130 of the Fortune 500.

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 15,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.


Comments are closed.