Jump to content
Posted 21 May 2016 - 09:04 PM
Posted 21 May 2016 - 09:17 PM
For the latest information on the CryptoLocker, please see this guide/FAQ: CryptoLocker Ransomware Information and FAQ
Is it possible to decrypt files encrypted by CryptoLocker?
FireEye and Fox-IT have released a method of possibly retrieving your private decryption key and a decrypter to use to decrypt your files. These keys were made available through Operation Tovar and were not retrieved by cracking the encryption. To try and retrieve your key, please visit their site http://www.decryptcryptolocker.com/ and enter your email and upload a copy of one of your CryptoLocker encrypted files. The service will then try attempt to decrypt that file using all of the known encryption keys. If they are able to successfully decrypt your file, they will then email you the decryption key with instructions on how to use it.
In order to use the decryption you need to paste the entire decryption key they send you, quotes and all, after the --key argument of the Decryptolocker.exe program. An example of how you would decrypt all of the folders and files under a particular folder can be found in this post. As the instructions and how to use the tool are not particularly user-friendly, if you need any help, please see feel free to ask in the CryptoLocker Support Topic. It should also be noted that you can use a different script, that it appears the FireEye/Fox-IT one was based off of, as well. Instructions on using the alternative decrypter can be found here.
If your key is not available using the above methods, the only methods you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. More information about how to restore your files via Shadow Volume Copies can be found in this section below.
Edited by TheTripleDeuce, 21 May 2016 - 09:22 PM.
Posted 21 May 2016 - 09:22 PM
Your files were most likely hit by Crypt0L0cker, a fake variant of the original. You can confirm by the name of the ransom note, which they have translated to over 10 different languages to my knowledge. You can upload a ransom note and encrypted file to the service in my signature for confirmation.
Afraid there is no solution for Crypt0L0cker. You can find more information in the appropriate support topic.
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 21 May 2016 - 09:58 PM
Posted 22 May 2016 - 07:12 AM
0 members, 0 guests, 0 anonymous users