Decrypterfixer, very good tool! Working well.
I only have 1 client where we saved the old encrypted files. Good thing too- this is a long process.
slightly off-topic Cryptolocker registry question- i have been studying how to edit the registry using Powershell. I see that cryptolocker and cryptowall use dwords for the files- registry value names for the files, some random number for the value. Why not just use registry strings with the file name in the string
It can be done relatively easy, found a PC with over 1000 entries in the cryptolocker/files key, once the file was ready it unlocked in around 5 minutes
Export the keys into a batch file , (Heres a vbs script to do that)
'Cryptowall Build encrypted file list for decryption
Dim ObjFso, ObjFile, oReg
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("Decrypt.bat", True)
Const REG_DWORD = 1
Const strKeyPath = "Software\CryptoLocker\Files"
Set oReg = GetObject("winmgmts:\\.\root\default:StdRegProv")
oReg.EnumValues HKCU, strKeyPath, arrEntryNames, arrValueTypes
For i = 0 To UBound(arrEntryNames)
Once you have the batch file you can use the following format to unlock the files (I used the fireeye decryptolocker tool)
The fist thing you will need to do is fix the formatting. Use the replace tool in notepad to change ? to \ , then add quotes to the start and end of all file names ( I used replace for this too, be carefull with filetypes such as doc,docx and xls,xlsx, replace the shorter extension first, then go back and fix the longer extensions
set RSA=Paste your RSA key here , at the end of each line put a space and a caret ^ otherwise it will not use the whole key
Do not add a caret to the last line of the key
Use the replace tool to replace the drive letter with the following line, i'll use drive c for an example
Replace "c:\ echo Yes|Decryptolocker.exe --key "%RSA%" "c:\
It'll add that to all files located on C ,
Example : echo Yes|Decryptolocker.exe --key "%RSA%" "C:\Users\Staff\Documents\Staff Meeting March 2013.docx"
Launch the script when finished through cmd and it will only show the files it's decrypting instead of the eula. I'm sure someone can refine the method better , but it's quicker than scanning the entire drive. Providing you have the list of infected files