Last year was a busy one on the IT security front. Between Heartbleed, Shellshock, Poodle, botnets, and keyloggers, I’m sure that everyone in the IT field has been kept on their toes. Keeping malware off your network has always been a big challenge yet the most difficult one from which to recover has been Cryptolocker and if you were hit with it, you’re already well aware of that fact . You may remember me talking about it here previously. When I originally wrote that article the only way to recover the the encrypted files was to have a secure backup to restore from. For anyone that was infected and didn’t have a good backup of all their files, there is good news this year!
The US Department of Justice, in coordination with law enforcement around the world, were able to organize a massive takedown of the Gameover Zeus botnet and obtain the private encryption keys the attackers used to encrypt files. What’s more, the good people over at FireEye and Fox-IT have released a website to send you the decryption key after analyzing an infected file. They have also provided a free tool to help you decrypt your files.
After downloading and using the file I realized it doesn’t come with much in the way of documentation so I’m here to help. First let’s document the different switches and what they do.
-h, –help show this help message and exit
–key RAWKEY Rawkey needed for decryption
–find Show files encrypted by Cryptolocker
-r Recursively search subdirectories
-v Verbose output
-o DESTDIR Copy all decrypted files to an output directory,
mirroring the source path
–csv CSVFILE Output to a CSV file
To decrypt your files, first you need to go to https://www.decryptcryptolocker.com/ and submit an infected file.
Once you submit the file along with your e-mail address you simply wait for them to e-mail you the decryption key.
Next, download their decryptolocker.exe recovery program from the same page.
When the download is complete I would suggest copying and pasting decryptolocker.exe into a temporary directory like c:\temp so that it will be easier to run from the command line.
To test decryption on your first file:
- Open a command prompt
- Navigate to the folder that you have the decryptolocker.exe file in
- Run the following command
- Decryptolocker.exe –key “” “”
Example: C:\temp\Decryptolocker.exe –key “—–BEGIN RSA PRIVATE KEY—– MI…m0Q== —–END RSA PRIVATE KEY—– ” “C:\Documents\Mydoc.docx”
This command will make a backup copy of the infected file and hopefully decrypt the file so that you can open it. If it works you can rerun the command for any other files that may be infected.
The tool also has a way to scan a folder or drive and return a list of potentially encrypted files. One note is that the scan doesn’t work well on a network drive so you should run it on the server where the files are actually stored. That command looks like this:
Decryptolocker.exe –find -r “C:\Documents” –csv “C:\Documents\encryptedfiles.csv”
The -r switch is recursive and tells it to scan all subfolders of the root directory you specify and the –csv switch will make you a nice list of all the encrypted files it finds. Once you have a list of potentially encrypted files you can create a batch file or script to automate the process. If you are not able to decrypt some of the files with the key you received they may have been encrypted with a different key. In this case you need to submit the file(s) that didn’t work with the first key to the website above and get a new key(s).
If you have thousands of files that have been encrypted with multiple keys, getting them all back can be a daunting task. Happily Par3.IT has extensive scripting experience and we have been able to automate much of the process. Contact us using the form below for more information, or call us to see how we can help.
[contact-form-7 id=”6092″ title=”Contact form 2″]