Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker (RSA-2048) has encrypted files, need help decrypting


  • This topic is locked This topic is locked
1 reply to this topic

#1 solomonshv

solomonshv

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 09 September 2013 - 02:55 PM

Hello

 

We had one workstation that was infected with the cryptolocker Trojan. we got the virus out but a bunch of files are now encrypted. is there a way to unencrypt these files?

 

there is a screenshot and description of the virus here: http://www.fixspywarenow.com/how-to-remove-cryptolocker-your-personal-files-are-encrypted-virus-a-guide-to-remove-cryptolocker-your-personal-files-are-encrypted-virus-from-your-pc/

 

so far I tried this tool: http://www.pandasecurity.com/homeusers/support/card?id=1675&IdIdioma=1

 

it asks for an original file and the encrypted version of it to generate the encryption key. I provided that for the program and a key was generated, but the tool cant actually use this key yo decrypt the files. I get this in the log:

 

2013-09-09 15:36:02: [i] ### Using key <C:\Users\xxxx\AppData\Local\Temp\PRDecrypt\key.bin> ###

2013-09-09 15:36:02:
2013-09-09 15:36:02: [i] Searching crypted files.

2013-09-09 15:36:02:
2013-09-09 15:36:02: No files decrypted.
2013-09-09 15:36:02: Done.

 

any ideas?

 

thanks

 

PS: I'm not a new member, i just can't remember which username or email i used for this website before.


Edited by solomonshv, 09 September 2013 - 02:57 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:15 AM

Posted 10 September 2013 - 09:05 AM

Hi solomonshv,
 
Unfortunately, there is currently no way for us to decrypt those files. For information about Cryptolocker, please have a look at this post:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/?p=3153406

Casey

Edited by Casey_boy, 10 September 2013 - 09:19 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users