dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2263

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

1 recommendation

Nightfall

MVM

Decrypt Cryptolocker Assistance Site

»decryptcryptolocker.com/

I know many have been hit with this nasty ransomware. If you know someone who has been hit, have them go to this site and upload one of the encrypted files. They will then give them a key so they can get their files back.

I haven't tried it out yet, but I saw a similar discussion on another forum about this tool. Apparently, some people who got hit with this are able to get their stuff back.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

1 recommendation

lorennerol

Premium Member

I was able to recover the key for a person who'd had thousands of (not backed up) family photos get locked up. I've tested the recovery program on one image and am now making a backup of the data before running the recovery in the recursive mode that runs through all the subdirectories and decrypts the files en masse.

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

Nightfall

MVM

Great news!

Spread the word everyone.
bennor
Premium Member
join:2006-07-22
New Haven, CT

1 edit

bennor to Nightfall

Premium Member

to Nightfall
Previous thread discussion with links to articles that discuss the decryptcryptolocker.com service.

Decryptolocker service to unlock Cryptolocker hijacked files

Cryptolocker deviation attacks Synology NAS devices

Password available for cryptolocker victims - via bbc aug 6

Hopeful
@91.84.207.x

Hopeful to lorennerol

Anon

to lorennerol
Well done managing to decrypt a file. Unfortunately I'm one of those who have received a decryption key but not yet succeeded in getting the command to accept it.

The instructions say to use the command "Decryptolocker.exe –key “” "

I am struggling understanding how to get the right data from the e-mail into this command. How did you extract the RSA private key from e-mail? Did you save it to a file? Any particular file structure or name? How did you get the extracted key into the decryption command?

Thanks in advance
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

1 recommendation

lorennerol

Premium Member

Here is a sample command line that works:

Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCArestofkeyhere4Q/s/+lo -----END RSA PRIVATE KEY----- " "C:\pathtofile\image.jpg"
 

(I've removed most of the key for privacy and clarity)

Among other things:

- Two hyphens before key are required (--key)
- You must include the hyphens at the start of the key AND the BEGIN RSA PRIVATE KEY statement, as well as the end statement and dashes.
- The key I got included a trailing space. Spaces are valid in these keys, so don't omit them.

There is a primer here:

»www.fireeye.com/blog/cor ··· ion.html

It includes the switches to run it through a directory (and optionally subdirectories) recursively.

After successfully decrypting one file, I made a backup of the entire affected disk. This took most of the night and I've not gone back to run the recursive decryption on the entire disk yet. I would not do this without a backup.

Hopeful
@91.84.198.x

Hopeful

Anon

Thank you. It now works.

I have been trying to interpret the web page "Your Locker of Information for CryptoLocker Decryption" which you mentioned. Looking at the comments at the bottom of the instructions web page it looks like I have not been alone - I was getting exactly the same error message as reported there. In particular I was having trouble interpreting "select the key and utilize it". I now understand that

"select" means what you would expect it to mean - highlight the key "-----BEGIN RSA PRIVATE KEY----- ........ -----END RSA PRIVATE KEY----- " and copy it. I found the web page of instructions a little confusing in that it appeared to me to select some but not all of the key.

"utilize" means paste what you have just copied into the relevant part of the command string. This makes a very long command string (but that's OK).

Then it works.

For me there was another point which I needed to understand. My e-mail client (Thunderbird) displays the received key as a series of separate lines of characters. I assumed that at the end of each line of characters there was CR/LF as is common with keys in this format. Bad assumption! In fact there is just a space after each 64 characters. The key is a single long line of characters. Thunderbird was making a new line at most but not all of the space characters. In some cases it made a new line at other apparently random places. If you try to tidy up the lines by adding CR/LF at the end of a line then the decryption process no longer works.

Now that I understand the process I have found it helpful to create a batch file thus:

Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- ........ -----END RSA PRIVATE KEY----- " %1 %2

where ........ is the private key from the e-mail. If the batch file is then called (for instance) decrypt.bat then the decryption command line becomes

decrypt.bat "C:\pathtofile\image.jpg"

Decrypting all of the files in a folder becomes

decrypt.bat "C:\FolderName\*"

and recursive decryption becomes

decrypt.bat -r C:\

etc.

Many thanks for your quick and helpful reply. Sorry if my response is a bit long. I hope together we can help the recovery process for others.
Hopeful

Hopeful

Anon

Sorry - It would probably have been helpful if I had included the error message which I was getting:

"Unsuccessful loading key : RSA key format is not supported"

I suspect this was caused by trying to tidy up the received private key.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

said by Hopeful :

I suspect this was caused by trying to tidy up the received private key.

Yes, and I did the same thing. They could have helped us out by giving a real example
lorennerol

lorennerol to Nightfall

Premium Member

to Nightfall
Just a quick post to add that, after making a backup, I ran the tool in recursive mode against a 2TB external drive with over 1TB of data. It took most of the night but it decrypted thousands of files. The command for this would be:

Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCArestofkeyhere4Q/s/+lo -----END RSA PRIVATE KEY----- " -r d:\
 

(Change the drive letter to match the drive being decrypted. In my case it was external drive D)
Jrb2
Premium Member
join:2001-08-31

Jrb2 to Nightfall

Premium Member

to Nightfall
About the site »decryptcryptolocker.com/

Are there folks here still on Windows XP using IE-8?
If so, do you get a certificate warning from IE-8 (on XP) when going to that site? And if so, which warning (do you have screenshot maybe?)? And, still on XP using IE-8, which company signed the certificate according to the info given by IE-8 on your XP?

Hopeful
@91.84.198.x

Hopeful

Anon

Click for full size
Decrycryptolocker site certificate
The site's certificate seems OK as far as Firefox is concerned. It's apparently signed by Verisign - see attached screen shot.