Decrypting Cryptolocker infected files

This article is to recover files encrypted by cryptolocker malware – there are tools available, but they are recovering single files, rather than batches. This is a script which can do a directory at a time. I manually check each directory as I complete decryption.

The virus claims to use a different key for every file, but is does not – it changes key sometimes within the same file type, and mostly when switching file types – but not always. So for 500 files, 400 of which are images, I found that all images had been encrypted with the same key, and all PDF files with another. ODT files (OpenOffice documents) had been encrypted with two different keys, even within the same directory. This may be two or three separate runs of the virus, or the virus changing keys based on some internal algorithm.

I include the batch file below (replace the keys with your own, these keys will not be the ones you need). They key can be obtained for any given file using the excellent service here : DecryptCryptolocker.com

The below script expects the following:

  • The Decryptolocker exe in a folder in c: called TEMPDecrypt
  • A file called “yes.txt” in the same folder containing only the string “yes”
  • the files to be decrypted with this key (replace the key below with the needed ones obtained above)

Note the following behaviour:

  • Any file not encrypted will be ignored
  • Any file not encrypted with THIS key will be ignored (you will probably need a few different keys)

This will immediately delete backup copies of files decrypted. While I’ve never seen this technique damage a file, DO NOT WORK ON THE ONLY COPY of anything, ever.

The results will appear on the command line output, one per file, on channel 2 (channel 1 outputs huge amounts of garbage EULA etc, so is discarded)

Any file successfully decrypted will be replaced in-place with a decrypted copy – there will be a file called ORIGINALNAME.bak created, which can be deleted (this is done automatically by the script)

for %%f in (“*”) do (
c:\TEMPDecrypt\Decryptolocker.exe –key “—–BEGIN RSA PRIVATE KEY—– MIIEpgIBAAKCAQEArcOq4EVZ2F2SCjAeCiF0OKNbgwvKAayBZXoOFeJ8M65BBftH Qcq/ZsU+Ogu3n20KBaxlST1IECRhFi5D17Sk9pq5sUuGbSDHaUCScm2l67/zMkY8 77D48VeX7b7TwJNAmN28ZjYOX7aaiRoao4Atb6c5+iTllshZcoIUjL8SS5aZNX0v V20oEyH5xmAEc9zmmoNAbjHzrDkYS+y4+m5NVyaQdobmS+dDdOnYk5yztaXoX+0F pRHYiUlcBAZCLYk6lyNeAN2dofE8Qmbrmhsa7l22E/DxosI1s/ok1OXPPYqTQ0ED SgpVDUiIDxXrdJ9BeMYTAwNsb5T3a2pX8wyspQIDAQABAoIBAQCB6mRMr60/5p20 vksHWgHSAtj9voe2/qn0G/CCDka8QRFejoO1Pggip2Ah9/a+3MB8g2tq+cVyRDDO a6LPmMEpm38wfn4wAyz0lZGoujAudeI3eWo/7zoA/3OZDm61caL/Z/FfHhVbHGSo EvtNuRy/ePERBBsfxAWUZotEu+rK1b8RLPxmfu+4IHFkvauPQmc9wVVhr4Kgsghc VVcdC/E5j3fbmxztI0v6yUGJbVqAjo896LL3QSAY6vYc0NzrsTyiM4QPouqRrDsw XwMZDu3D6Tx61qjFHpEl7ce149ONxGRn3Go/mesrMlpFHTbLol2muF1z8q+PZcRK J5SsZre1AoGBAOCDRBshZ3A25AQo7t7fksnqyTDn0AuAhkpoxfDaJnW8Qm03Pcw1 L1Jt7vCfFXiGmcc+CK6JXfPrr6N1rikWqQaD+fYbZ4OktR/eUrWQ2FVkyceMAKKP 94LKw0q8b6pViyTIdRUu7WF+vS0WcWvfelf7waNn2R2Pmr8qTGnub26nAoGBAMYi Xl/UThE6CdIKLmFOpVS1feNkhbxNzRlu3S42csQdWy2MutqxMr66yeB0TojDp81z 6x4CQ3/qobGJC+i6Q4bJ0sPWhjqRE4WQa0bKhL0BqPQYRc5ki2VxfN+1X80tTA9P 9LJyN3j/ZJYfJ+BlKSB3YUFXNqQGYw7hlfnox9/TAoGBAK52csMeZxH1JaTx5gV8 +MU9VJBTYwC9JB3IYyCxdLeCzp+uELCSF67XTJjhFj8tYWxJkVeH2WGFoVvFQ8wc FsbAYcpUK1FJ+ZHFIsKCxwk8o+wTqB6q/yw8whteaOuVQ+YWe501dTOQ2BKkYQjx hVG/ig6f0UC+agLpLK4YobD7AoGBAKtVTQbRMDD1X0iiRTkgKRf3WcUpR/xtys4T cHBl5Rhxyka5S1uRn7APFkNiUAc0KgcgFlD85CHZY7mCKSo25+3G2NtAxxIeIiN9 n0a4GdDXfqKV2sd/aotud+17ijyCzyLuoUsuOYoIT5MBnhoNYGMS2KcII9fzLfXQ XUCeazjBAoGBAK249Ekh2US5r0c7Zwjsq/mASPbHIwdNzx2Yix+YuZfAHJHsQioO DD/7mdsYc5TdvpQzAz3GLk0L29/TNEKaDbu84AhrGOW9T0184Xtu7Bzdtp3WmOIE 5rQyU+m300JKFDTKLKHmF/Iz+kSi0Yac20eQ5mZDqcL09kf5WnR8rlfp —–END RSA PRIVATE KEY—– ” “%%f” <c:\TEMPDecrypt\yes.txt 1>NUL
if exist “%%f%.bak” (
del “%%f%.bak”
)
)

 

This article is to recover files encrypted by cryptolocker malware – there are tools available, but they are recovering single files, rather than batches.

 

The virus claims to use a different key for every file, but is does not – it changes key sometimes within the same file type, and mostly when switching file types – but not always. So for 500 files, 400 of which are images, I found that all images had been encrypted with the same key, and all PDF files with another. ODT files (OpenOffice documents) had been encrypted with two different keys, even within the same directory. This may be two or three separate runs of the virus, or the virus changing keys based on some internal algorithm.

I include the batch file below (replace the keys with your own, these keys will not be the ones you need). They key can be obtained for any given file using the excellent service here :DecryptCryptolocker.com

The below script expects the following:

    • The Decryptolocker exe in a folder in c: called TEMPDecrypt

 

    • A file called “yes.txt” in the same folder containing only the string “yes”

 

  • the files to be decrypted with this key (replace the key below with the needed ones obtained above)

Note the following behaviour:

    • Any file not encrypted will be ignored

 

    • Any file not encrypted with THIS key will be ignored (you will probably need a few different keys)

 

    • This will immediately delete backup copies of files decrypted. While I’ve never seen this technique damage a file, DO NOT WORK ON THE ONLY COPY of anything, ever

 

    • The results will appear on the command line output, one per file, on channel 2 (1 outputs huge amounts of garbage EULA etc, so is discarded

 

  • Any file sucessfully decrypted will be replaced in-place with a decrypted copy – there will be a file called ORIGINALNAME.bak created, which can be deleted

 

for %%f in (“*”) do (
c:\\TEMPDecrypt\\Decryptolocker.exe –key “—–BEGIN RSA PRIVATE KEY—– MIIEpgIBAAKCAQEArcOq4EVZ2F2SCjAeCiF0OKNbgwvKAayBZXoOFeJ8M65BBftH Qcq/ZsU+Ogu3n20KBaxlST1IECRhFi5D17Sk9pq5sUuGbSDHaUCScm2l67/zMkY8 77D48VeX7b7TwJNAmN28ZjYOX7aaiRoao4Atb6c5+iTllshZcoIUjL8SS5aZNX0v V20oEyH5xmAEc9zmmoNAbjHzrDkYS+y4+m5NVyaQdobmS+dDdOnYk5yztaXoX+0F pRHYiUlcBAZCLYk6lyNeAN2dofE8Qmbrmhsa7l22E/DxosI1s/ok1OXPPYqTQ0ED SgpVDUiIDxXrdJ9BeMYTAwNsb5T3a2pX8wyspQIDAQABAoIBAQCB6mRMr60/5p20 vksHWgHSAtj9voe2/qn0G/CCDka8QRFejoO1Pggip2Ah9/a+3MB8g2tq+cVyRDDO a6LPmMEpm38wfn4wAyz0lZGoujAudeI3eWo/7zoA/3OZDm61caL/Z/FfHhVbHGSo EvtNuRy/ePERBBsfxAWUZotEu+rK1b8RLPxmfu+4IHFkvauPQmc9wVVhr4Kgsghc VVcdC/E5j3fbmxztI0v6yUGJbVqAjo896LL3QSAY6vYc0NzrsTyiM4QPouqRrDsw XwMZDu3D6Tx61qjFHpEl7ce149ONxGRn3Go/mesrMlpFHTbLol2muF1z8q+PZcRK J5SsZre1AoGBAOCDRBshZ3A25AQo7t7fksnqyTDn0AuAhkpoxfDaJnW8Qm03Pcw1 L1Jt7vCfFXiGmcc+CK6JXfPrr6N1rikWqQaD+fYbZ4OktR/eUrWQ2FVkyceMAKKP 94LKw0q8b6pViyTIdRUu7WF+vS0WcWvfelf7waNn2R2Pmr8qTGnub26nAoGBAMYi Xl/UThE6CdIKLmFOpVS1feNkhbxNzRlu3S42csQdWy2MutqxMr66yeB0TojDp81z 6x4CQ3/qobGJC+i6Q4bJ0sPWhjqRE4WQa0bKhL0BqPQYRc5ki2VxfN+1X80tTA9P 9LJyN3j/ZJYfJ+BlKSB3YUFXNqQGYw7hlfnox9/TAoGBAK52csMeZxH1JaTx5gV8 +MU9VJBTYwC9JB3IYyCxdLeCzp+uELCSF67XTJjhFj8tYWxJkVeH2WGFoVvFQ8wc FsbAYcpUK1FJ+ZHFIsKCxwk8o+wTqB6q/yw8whteaOuVQ+YWe501dTOQ2BKkYQjx hVG/ig6f0UC+agLpLK4YobD7AoGBAKtVTQbRMDD1X0iiRTkgKRf3WcUpR/xtys4T cHBl5Rhxyka5S1uRn7APFkNiUAc0KgcgFlD85CHZY7mCKSo25+3G2NtAxxIeIiN9 n0a4GdDXfqKV2sd/aotud+17ijyCzyLuoUsuOYoIT5MBnhoNYGMS2KcII9fzLfXQ XUCeazjBAoGBAK249Ekh2US5r0c7Zwjsq/mASPbHIwdNzx2Yix+YuZfAHJHsQioO DD/7mdsYc5TdvpQzAz3GLk0L29/TNEKaDbu84AhrGOW9T0184Xtu7Bzdtp3WmOIE 5rQyU+m300JKFDTKLKHmF/Iz+kSi0Yac20eQ5mZDqcL09kf5WnR8rlfp —–END RSA PRIVATE KEY—– ” “%%f” <c:\\TEMPDecrypt\\yes.txt
1>NUL
if exist “%%f%.bak” (
del “%%f%.bak”
)
)

References: Fireeye’s writeup of this virus

Leave a Reply