In June, “Operation Tovar,” a coordinated global law enforcement and private collaboration, was able to take control of the Gameover ZeuS botnet. Gameover was reportedly in control of up to 1 million Windows machines and was often used to transmit CryptoLocker. As part of this takedown, a massive database of CryptoLocker encryption keys was captured. Last week, FireEye and Fox-IT made it possible to easily decrypt files that were encrypted with those captured encryption keys.
Until recently, the advice for anyone with files encrypted by CryptoLocker and related ransomware was to recover from backups.
Now the FireEye / Fox-IT creation “DecryptoLocker” allows users to upload a sample file and, in return, get the matching key to decrypt it. User data is not kept or decrypted by the DecryptoLocker site. Instead, users can download the DecryptLocker application and run it on their local system to decrypt files Update (2017-06-02) The DecryptLocker project is no longer active, but more tools are now available. To try and detect the specific strain of ransomware you have fallen victim to you can upload samples to the No More Ransom – Crypto Sheriff (https://www.nomoreransom.org/crypto-sheriff.php) tool. The same site’s Decryption Tools (https://www.nomoreransom.org/decryption-tools.html) page has a large collection of links to decryption tools specific to strains of ransomware that can be decrypted at this time.
Only files encrypted by encryption keys that have been recovered or encrypted weakly can be decrypted, so
CryptoLocker and similar ransomware controlled by hackers that have yet to be taken down will still not be decryptable.
For more on Operation Tovar see http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge
FireEye has more information on DecryptoLocker here: http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html
Paul Hirsch is a Senior Network Engineer for Citon Computer Corp. Have questions? Call 218.740.2826.