NightfallMy Goal Is To Deny Yours MVM join:2001-08-03 Grand Rapids, MI
1 recommendation |
Decrypt Cryptolocker Assistance Site» decryptcryptolocker.com/I know many have been hit with this nasty ransomware. If you know someone who has been hit, have them go to this site and upload one of the encrypted files. They will then give them a key so they can get their files back. I haven't tried it out yet, but I saw a similar discussion on another forum about this tool. Apparently, some people who got hit with this are able to get their stuff back. |
|
lorennerol Premium Member join:2003-10-29 Seattle, WA
1 recommendation |
I was able to recover the key for a person who'd had thousands of (not backed up) family photos get locked up. I've tested the recovery program on one image and am now making a backup of the data before running the recovery in the recursive mode that runs through all the subdirectories and decrypts the files en masse. |
|
NightfallMy Goal Is To Deny Yours MVM join:2001-08-03 Grand Rapids, MI |
Great news! Spread the word everyone. |
|
bennor Premium Member join:2006-07-22 New Haven, CT 1 edit |
to Nightfall
|
|
|
to lorennerol
Well done managing to decrypt a file. Unfortunately I'm one of those who have received a decryption key but not yet succeeded in getting the command to accept it.
The instructions say to use the command "Decryptolocker.exe key "
I am struggling understanding how to get the right data from the e-mail into this command. How did you extract the RSA private key from e-mail? Did you save it to a file? Any particular file structure or name? How did you get the extracted key into the decryption command?
Thanks in advance |
|
lorennerol Premium Member join:2003-10-29 Seattle, WA
1 recommendation |
Here is a sample command line that works: Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCArestofkeyhere4Q/s/+lo -----END RSA PRIVATE KEY----- " "C:\pathtofile\image.jpg"
(I've removed most of the key for privacy and clarity) Among other things: - Two hyphens before key are required (--key) - You must include the hyphens at the start of the key AND the BEGIN RSA PRIVATE KEY statement, as well as the end statement and dashes. - The key I got included a trailing space. Spaces are valid in these keys, so don't omit them. There is a primer here: » www.fireeye.com/blog/cor ··· ion.htmlIt includes the switches to run it through a directory (and optionally subdirectories) recursively. After successfully decrypting one file, I made a backup of the entire affected disk. This took most of the night and I've not gone back to run the recursive decryption on the entire disk yet. I would not do this without a backup. |
|
|
Hopeful
Anon
2014-Aug-12 8:12 pm
Thank you. It now works.
I have been trying to interpret the web page "Your Locker of Information for CryptoLocker Decryption" which you mentioned. Looking at the comments at the bottom of the instructions web page it looks like I have not been alone - I was getting exactly the same error message as reported there. In particular I was having trouble interpreting "select the key and utilize it". I now understand that
"select" means what you would expect it to mean - highlight the key "-----BEGIN RSA PRIVATE KEY----- ........ -----END RSA PRIVATE KEY----- " and copy it. I found the web page of instructions a little confusing in that it appeared to me to select some but not all of the key.
"utilize" means paste what you have just copied into the relevant part of the command string. This makes a very long command string (but that's OK).
Then it works.
For me there was another point which I needed to understand. My e-mail client (Thunderbird) displays the received key as a series of separate lines of characters. I assumed that at the end of each line of characters there was CR/LF as is common with keys in this format. Bad assumption! In fact there is just a space after each 64 characters. The key is a single long line of characters. Thunderbird was making a new line at most but not all of the space characters. In some cases it made a new line at other apparently random places. If you try to tidy up the lines by adding CR/LF at the end of a line then the decryption process no longer works.
Now that I understand the process I have found it helpful to create a batch file thus:
Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- ........ -----END RSA PRIVATE KEY----- " %1 %2
where ........ is the private key from the e-mail. If the batch file is then called (for instance) decrypt.bat then the decryption command line becomes
decrypt.bat "C:\pathtofile\image.jpg"
Decrypting all of the files in a folder becomes
decrypt.bat "C:\FolderName\*"
and recursive decryption becomes
decrypt.bat -r C:\
etc.
Many thanks for your quick and helpful reply. Sorry if my response is a bit long. I hope together we can help the recovery process for others. |
|
Hopeful |
Hopeful
Anon
2014-Aug-12 8:18 pm
Sorry - It would probably have been helpful if I had included the error message which I was getting:
"Unsuccessful loading key : RSA key format is not supported"
I suspect this was caused by trying to tidy up the received private key. |
|
lorennerol Premium Member join:2003-10-29 Seattle, WA |
said by Hopeful :I suspect this was caused by trying to tidy up the received private key. Yes, and I did the same thing. They could have helped us out by giving a real example |
|
lorennerol |
to Nightfall
Just a quick post to add that, after making a backup, I ran the tool in recursive mode against a 2TB external drive with over 1TB of data. It took most of the night but it decrypted thousands of files. The command for this would be: Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCArestofkeyhere4Q/s/+lo -----END RSA PRIVATE KEY----- " -r d:\
(Change the drive letter to match the drive being decrypted. In my case it was external drive D) |
|
|
Jrb2 Premium Member join:2001-08-31 |
to Nightfall
About the site » decryptcryptolocker.com/Are there folks here still on Windows XP using IE-8? If so, do you get a certificate warning from IE-8 (on XP) when going to that site? And if so, which warning (do you have screenshot maybe?)? And, still on XP using IE-8, which company signed the certificate according to the info given by IE-8 on your XP? |
|
|
Hopeful
Anon
2014-Aug-14 5:19 pm
Decrycryptolocker site certificate |
The site's certificate seems OK as far as Firefox is concerned. It's apparently signed by Verisign - see attached screen shot. |
|