Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3449 replies to this topic

#3091 AS985

AS985

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 06 August 2014 - 10:24 AM

Can anyone advise how long it took to get an email reply after uploading your corrupted file?  Thanks.



BC AdBot (Login to Remove)

 


m

#3092 codyrt

codyrt

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 06 August 2014 - 10:26 AM

Can anyone advise how long it took to get an email reply after uploading your corrupted file?  Thanks.

It took about 15 minutes before I got mine. I would assume that more and more people are trying this out so it may take longer.



#3093 AS985

AS985

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 06 August 2014 - 10:28 AM

 

Can anyone advise how long it took to get an email reply after uploading your corrupted file?  Thanks.

It took about 15 minutes before I got mine. I would assume that more and more people are trying this out so it may take longer.

 

 

Got it.  Thank you.



#3094 codyrt

codyrt

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 06 August 2014 - 10:44 AM

Submit the EXE here:

 

http://www.bleepingcomputer.com/submit-malware.php

 

and ill make a quicky application that is recursive.

I submitted the EXE.



#3095 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 06 August 2014 - 10:44 AM

Now all we need is a way of running this command in bulk for all files within a certain directory.


Batch file will do it:

@echo off
for /R %%i in (*) do Decryptolocker.exe --key "-----BEGIN RSA PRIVATE KEY---- key -----END RSA PRIVATE KEY-----" %%i
Save the batch in your path. Open a command prompt and go to the root of the drive you wish to scan and run it.

#3096 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 06 August 2014 - 10:47 AM

The decrypter can be found here as well:

https://www.decryptcryptolocker.com/Decryptolocker.exe

#3097 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 06 August 2014 - 10:48 AM

I am not sure why they didnt make the program read the key from a file rather than having to add the key to the command line. Seems a little ununser-friendly.

#3098 vegasj

vegasj

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 August 2014 - 11:03 AM

In for a simple exe that one can run from a targeted drive.

 

Our network drives were hit a while back and not all files have been replaced.



#3099 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 06 August 2014 - 11:08 AM

I can't get the damn thing to work for me, but it appears there is a recursive argument in the program.

optional arguments:
  -h, --help           show this help message and exit
  --key RAWKEY         Rawkey needed for decryption
  --find               Show files encrypted by Cryptolocker
  -r                   Recursively search subdirectories
  -v                   Verbose output
  -o DESTDIR           Copy all decrypted files to an output directory,
                       mirroring the source path
  --csv CSVFILE        Output to a CSV file


#3100 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:35 AM

Posted 06 August 2014 - 11:15 AM

Got it to work. Have to say i found it confusing. As stated you need to paste the whole key into the command line. You can also specify the -r command to make it search a directory recursively. If you do that, you need to specify the folder (not files) to search through recursively. For example, below is the command to recursively decrypt files in a folder:


Decryptolocker.exe -r --key "-----BEGIN RSA PRIVATE KEY----- VOOEpAOBAAcCAQEAuDqV0+5qoWG3uGOvXuV+tcQjWalJ9aHqrlafEyVUShn9U5B9 9LgPuYwSV5y9V98JOdOgH/tuyZ3sX+XUnQxA2J7PaeTShXVnoRw+3Yw+0dDUyXRB 5HJcXgc0Y3h8+zB4Vgax2x9Bp3VQSSYHQ3+wWJQLojHyhbGFevJnQcYc55ecZOyd VTnVo0SjlNjWU+Nj5CL87EVjVgfqC4TNEwVZ+nxtVoyPRCBOcZRJVNQr3nxcFyJq rPgeZVdBASXcbV08yN933L4d0oNBcYSvtWupcVRqYX/l95/ezoc8xqOVnWfWV3Pb OgL5Z0HUG9ZXfNEDFBaDTV8pnjTzEHxpzr5lLQODAQABAoOBAQCfvqPH4tTtCclg pSqEN5SaAO5SOrux5OuErjGTS3OdZHnOCuNc3ncsH3xG3Jt02+V0Qn5eHgwLoZ3A La35WtVju9cH7lUpTbqvtalLo8VY9eZ8pGU3bOJhE8Qsof55ZarjXfC8Vxa32L58 HxBvU/oaZOzN4Fd5299tO2Gro99+O+rOXre3tlUQ7f9ZROX3D5ObogpcosYV93ZT 7jA2d9o05OoUbWhh3f0+sHqy5eLvpj5275CTh33uzlvOTUb/euJXTqnYO+CCVrdV Ls7URB/V8tGxVfPFHcgaycOdAVAWt35X++qbLwg288HpaPF0J8hWRAVbP5CC2erO5u+RoEZ5AoGBAPV3ssJ0sblhgJB2BenJNWeehD7evJ//cVq5gZGgNbfNqpGuVG3W TL2ELpxYn72cDrOO2gVVQqsSBOC5C4TqTV//O5o/QOCZDVfgubr8fOxL5Ufu3v+V CRuOdBdOuOy8gTnVlXzAQc9OcAzFsbVQU0WyaOLw/aOW4BFhtODXh7RPAoGBAVHV 3wx20D/N/3oNcScDTAcOceFx4Co4AJogN7azHeetTWeepJoXYVWqtA9vBq8w5SYd tOeCz4GA2lU0UQ/BDduaeYvsVfgaqpC4o5SuUaBxVUVc9fnodo5u05GrOs4ep7OV Yhv5GtnRf5c9j3lHzfA0pOVugUO9E95VCj9Sc+PDAoGBAVctfbzEuCdf0g5OWOdJ Y9Re/QxxLNqG2avDBODxVW2/UVGv5FV9jcO2DrSW/qxELoAnERHOew3/rCXrop+t BcEAVZpHPDJxzdgBl8cBJ5//EzOjGbadrB+RROgcbvE5o90NhcvG+owOt53RcXHV AcqsRJhhVTBuTVO8x0PEvtpjAoGAUe8u0WR/WQbGCuhVxSLUhOsVOVccQ3zObFhC 0pvbfONX+vopWceZZcauUXs72tVRasrQlxZqcrGtEcX7vul33pzV0X3YDSPPgTnU OptceL578jw2OHTfa3Ox/2e3TqDbgb/RZjjrVLF3243Vy5XQ3rOD7739+cuU8rUC cOFZ4RsCgYALBVN8syl37E2lJqy3HbW00pztP5zcrLo5eGJdzyPBzQYZF4ZGxrZQ Lh9cO0FBw9n8p7PN7xo+tcRCjlRnAVp3DtHg+55YR/0wjPoWHz3sSU73Yg35TzOE TwBOt0Bc4ccocsDEg5ayWVuzyRHOoUprzTLeB3YnQd3u0nNct5D7Fw== -----END RSA PRIVATE KEY-----" e:\test\crilock

            crypto-un-locker
            The MIT License (MIT)

Copyright (c) 2013 Kyrus Tech

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of

the Software, and to permit persons to whom the Software is furnished to do so,

<Removed the rest>

Type 'Yes' to agree to the above terms or 'No' to exit: Yes
[+] Successfully decrypted file: e:\test\crilock\test.doc
[+] Successfully decrypted file: e:\test\crilock\test3.doc
[-] Unsuccessful decrypting file: Could not find the private key for this CryptoLocker file: e:\test\crilock\test24.doc

e:\test\crilock>


#3101 rsiadmin

rsiadmin

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 06 August 2014 - 11:22 AM

FYI in addition to the clarified instructions above "(Make sure to include the BEGIN and END portion along with the quotes otherwise it will not work)" , be aware the tool will not work with leading or trailing spaces within the filename (our user had used spaces). Once the file is renamed , less spaces, the tool worked.

Success!!



#3102 vegasj

vegasj

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 August 2014 - 11:29 AM

Got it to work. Have to say i found it confusing. As stated you need to paste the whole key into the command line. You can also specify the -r command to make it search a directory recursively. If you do that, you need to specify the folder (not files) to search through recursively. For example, below is the command to recursively decrypt files in a folder:

 

Decryptolocker.exe -r --key "-----BEGIN RSA PRIVATE KEY----- VOOEpAOBAAcCAQEAuDqV0+5qoWG3uGOvXuV+tcQjWalJ9aHqrlafEyVUShn9U5B9 9LgPuYwSV5y9V98JOdOgH/tuyZ3sX+XUnQxA2J7PaeTShXVnoRw+3Yw+0dDUyXRB 5HJcXgc0Y3h8+zB4Vgax2x9Bp3VQSSYHQ3+wWJQLojHyhbGFevJnQcYc55ecZOyd VTnVo0SjlNjWU+Nj5CL87EVjVgfqC4TNEwVZ+nxtVoyPRCBOcZRJVNQr3nxcFyJq rPgeZVdBASXcbV08yN933L4d0oNBcYSvtWupcVRqYX/l95/ezoc8xqOVnWfWV3Pb OgL5Z0HUG9ZXfNEDFBaDTV8pnjTzEHxpzr5lLQODAQABAoOBAQCfvqPH4tTtCclg pSqEN5SaAO5SOrux5OuErjGTS3OdZHnOCuNc3ncsH3xG3Jt02+V0Qn5eHgwLoZ3A La35WtVju9cH7lUpTbqvtalLo8VY9eZ8pGU3bOJhE8Qsof55ZarjXfC8Vxa32L58 HxBvU/oaZOzN4Fd5299tO2Gro99+O+rOXre3tlUQ7f9ZROX3D5ObogpcosYV93ZT 7jA2d9o05OoUbWhh3f0+sHqy5eLvpj5275CTh33uzlvOTUb/euJXTqnYO+CCVrdV Ls7URB/V8tGxVfPFHcgaycOdAVAWt35X++qbLwg288HpaPF0J8hWRAVbP5CC2erO5u+RoEZ5AoGBAPV3ssJ0sblhgJB2BenJNWeehD7evJ//cVq5gZGgNbfNqpGuVG3W TL2ELpxYn72cDrOO2gVVQqsSBOC5C4TqTV//O5o/QOCZDVfgubr8fOxL5Ufu3v+V CRuOdBdOuOy8gTnVlXzAQc9OcAzFsbVQU0WyaOLw/aOW4BFhtODXh7RPAoGBAVHV 3wx20D/N/3oNcScDTAcOceFx4Co4AJogN7azHeetTWeepJoXYVWqtA9vBq8w5SYd tOeCz4GA2lU0UQ/BDduaeYvsVfgaqpC4o5SuUaBxVUVc9fnodo5u05GrOs4ep7OV Yhv5GtnRf5c9j3lHzfA0pOVugUO9E95VCj9Sc+PDAoGBAVctfbzEuCdf0g5OWOdJ Y9Re/QxxLNqG2avDBODxVW2/UVGv5FV9jcO2DrSW/qxELoAnERHOew3/rCXrop+t BcEAVZpHPDJxzdgBl8cBJ5//EzOjGbadrB+RROgcbvE5o90NhcvG+owOt53RcXHV AcqsRJhhVTBuTVO8x0PEvtpjAoGAUe8u0WR/WQbGCuhVxSLUhOsVOVccQ3zObFhC 0pvbfONX+vopWceZZcauUXs72tVRasrQlxZqcrGtEcX7vul33pzV0X3YDSPPgTnU OptceL578jw2OHTfa3Ox/2e3TqDbgb/RZjjrVLF3243Vy5XQ3rOD7739+cuU8rUC cOFZ4RsCgYALBVN8syl37E2lJqy3HbW00pztP5zcrLo5eGJdzyPBzQYZF4ZGxrZQ Lh9cO0FBw9n8p7PN7xo+tcRCjlRnAVp3DtHg+55YR/0wjPoWHz3sSU73Yg35TzOE TwBOt0Bc4ccocsDEg5ayWVuzyRHOoUprzTLeB3YnQd3u0nNct5D7Fw== -----END RSA PRIVATE KEY-----" e:\test\crilock

            crypto-un-locker
            The MIT License (MIT)

Copyright (c) 2013 Kyrus Tech

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of

the Software, and to permit persons to whom the Software is furnished to do so,

<Removed the rest>

Type 'Yes' to agree to the above terms or 'No' to exit: Yes
[+] Successfully decrypted file: e:\test\crilock\test.doc
[+] Successfully decrypted file: e:\test\crilock\test3.doc
[-] Unsuccessful decrypting file: Could not find the private key for this CryptoLocker file: e:\test\crilock\test24.doc

e:\test\crilock>

So, I have a drive with 5 folders. Inside those 5 folder are many different number of folder each... some of those with more folders.

 

Inside the many different number of folders are where all the encrypted pdf files reside. 

 

My understanding, this will not search and find within folders inside folders and work?



#3103 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 AM

Posted 06 August 2014 - 12:24 PM

Well that application they are passing out really really looks to be the script of CryptoUnlocker, made by kyrus. (https://github.com/kyrus/crypto-un-locker), Simply wrapped up in a single EXE with console output, and parameters removed. Which is a little silly.

 

If anyone wants to use the original script, i compiled it into a EXE with all its dependency's.(no time to pack it atm) Here: https://www.dropbox.com/s/j070ptot60mylye/CryptoUnlocker.zip

Chrome is detecting it as a infection, But i compiled it, so dont be alarmed. You can use IE to download it. I have no time to shift bytes :(

 

This script has output on it so you know what is going on, the ability to simply copy and paste your key to a file and pass it to the application, and a recursive option that makes more since. Here are the instructions for anyone interested.

 

1.) Download the zip file and place it in a easy area (Desktop is one)

2.) Extract all files to a created Folder named "Decrypter".

3.)With the folder open hold down SHIFT and right click an empty area in the folder, and select "Open command Window Here" OR simply open a command window and navigate to that folder.

4.) Type CryptoUnlocker.exe --help to see this:

 

usage: CryptoUnLocker.exe [-h] (--keyfile KEYFILE | --keydir KEYDIR | --detect)
[-r] [-v] [--dry-run] [-o DESTDIR] [--csv CSVFILE]
encrypted_filenames [encrypted_filenames ...]

Decrypt CryptoLocker encrypted files.

positional arguments:
encrypted_filenames

optional arguments:
-h, --help show this help message and exit
--keyfile KEYFILE File containing the private key, or the EXE file
provided for decryption
--keydir KEYDIR Directory containing any number of private keys; the
appropriate private key will be used during the
decryption process
--detect Don't try to decrypt; just find files that may be
CryptoLockered
-r Recursively search subdirectories
-v Verbose output
--dry-run Don't actually write decrypted files
-o DESTDIR Copy all decrypted files to an output directory,
mirroring the source path
--csv CSVFILE Output to a CSV file

 

 

Pick the options you want to use. For example, if i wanted this application to go through my whole C:\ drive recursively i would:

 

1.) make a test file named key.txt in the same folder as the application and paste my key in it.

2.) Then in my command window i would run: CryptoUnLocker.exe --keyfile key.txt -r C:\

 

This would recursively decrypt all files on my C:\ drive. You can use the -V command for a deep output on the CMD window.

 

This application leaves the encrypted versions as a .BAK though, so when you are done and have confirmed that all files are fine, simply search windows for .BAK files and remove the ones you feel need to be removed in Bulk.

 

I have confirmed this application also leaves non encrypted files alone, so you dont need to worry about it messing up non encrypted files.


Edited by decrypterfixer, 06 August 2014 - 12:25 PM.

Have you performed a routine backup today?

#3104 vegasj

vegasj

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 August 2014 - 01:16 PM

 

Pick the options you want to use. For example, if i wanted this application to go through my whole C:\ drive recursively i would:

 

1.) make a test file named key.txt in the same folder as the application and paste my key in it.

2.) Then in my command window i would run: CryptoUnLocker.exe --keyfile key.txt -r C:\

Thx!

 

I've tried this for one of my encrypted files...

 

I'm getting an "unsuccessful loading key file: could not parse a private key from file: key.txt"
 

I created my key.txt file inside the same folder as cryptounlocker.exe, copied and pasted the key they sent in the email, saved and closed the txt.

 

I've tried including 

 

"-----BEGIN RSA PRIVATE KEY----- MXXXXX....

 

and

 

...XXXXXu -----END RSA PRIVATE KEY----- "

 

What or how exactly should the content of the key.txt file look?



#3105 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 AM

Posted 06 August 2014 - 01:51 PM

Okay, So the Keys they are passing out are a little modified, but really not to bad, so this should be easy. To use the script i put up please follow the directions to make your key file work with the script:

 

1.) Copy and paste your key into a file using notepad, notepad++ Etc. It will prob. look something like this, all on one line

MLDHaN1.png

 

With the -----BEGIN RSA PRIVATE KEY----- at the very first of the line, and the -----END RSA PRIVATE KEY----- at the very last.

If it doesn't, dont worry, as we are going to edit it anyways.

 

 

 

2.) Take the word "RSA"  out of both the "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----" so it just says "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----".

 

ZH7cB2T.png

 

 

3.) Now simply hit enter right after the -----BEGIN PRIVATE KEY----- To put it on a new line, and then hit enter right before -----END PRIVATE KEY----- To put it on a newline. So it should look like this:

 

eVIPjC0.png

 

And your done! Save it as Key.PEM or Key.txt, and follow the last instructions.

 

P.S. Dont worry about the spaces after the "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----", they dont matter. If you have no idea what im talking about, then just ignore this.


Have you performed a routine backup today?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users