Ransomware is a particularly nasty piece of malware that takes infected machines hostage. CryptoLocker was successful at garnering multi-millions in ransom payments the first two months of CryptoLocker’s distribution, according to a recent blog by FireEye regarding the takeover of CryptoLocker infrastructure – Operation Tovar.
Operation Tovar helped tear down the infrastructure used by attackers, but there are still many instances where users are still being infected with ransomware. After the success of Operation Tovar, there were few resources available to help decrypt files that were still encrypted with the attacker’s private key.
While not particularly innovative, CryptoLocker was successful because it encrypts the files of computers it infected and then demanded a ransom for a private key to decrypt those files. The harsh reality of a situation like this is, not many people back up their data. In some cases, the backups would be encrypted if mounted to an infected machine. As a result, many of the victims felt helpless at this point, and paid the ransom – typically around $300. A simple description of the way that CryptoLocker works can be found below:
CryptoLocker arrives on a victim’s machine through a variety of techniques such as spear-phishing emails or watering hole attacks.
CryptoLocker then connects to randomly generated domain (via DGAs) to download a specific RSA public key.
At that point, an AES-256 key is created for each file on the system.
CryptoLocker then encrypts all of the supported files using the generated key from step 3.
The generated key is then encrypted with the downloaded RSA public key from step 2.
And finally, the AES-key is written to the beginning of the encrypted files, thus requiring the private key to decrypt.
Not all CryptoLocker variants are created equal. There are several copycats and hybrid versions of Crytpolocker that exist, ranging from programs like CryptoDefense, PowerLocker, TorLocker and CryptorBit, to variants that are not necessarily named but have modified functionality, such as using Yahoo Messenger as a propagation technique.
FireEye and Fox IT have created a webpage, https://www.decryptcryptolocker.com [Note: this site no longer exists. As an alternative, try: https://noransom.kaspersky.com/], where a user can upload an encrypted CryptoLocker file. Based on this upload, the user will be provided with the option to download a private key that should decrypt their affected files. The site also provides instructions on how to apply this key to the files encrypted by CryptoLocker to decrypt those files.
To use the site, simply upload an encrypted file without any confidential information. (Please keep in mind, we will not permanently store, view, or modify your file in any fashion.) Enter your email address, to ensure the private key associated with the file is sent to the correct individual. Ensure you enter the correct number or phrase in the Captcha entry field.
Figure 2: Screenshot of https://www.DecryptCryptoLocker.com
After clicking “Decrypt It!”, you will be presented with instructions to download the Decryptolocker.exe tool from https://www.decryptCryptoLocker.com (Figure 3). In addition, your private key will be sent to the email addresses specified.