Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt0L0cker decryption software not working on large files


  • Please log in to reply
6 replies to this topic

#1 paulylah

paulylah

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 22 December 2017 - 06:07 PM

Hey guys, long time reader, first time poster.

 

I run an MSP in sydney. I have a client who had a cryptolocker incident some time back. We were able to restore most from backup, but there were some old email archives sitting on a NAS that got hit, and didn't have a backup.

 

Client agreed to pay ransom, which got us a decyptor executable. We ran it and got other stuff back but the larger PST's didnt get decrypted.

They are 7, 11, and 27 GB respectively. We have need for these. I am hopeful that the files are just too large for their decryptor tool, but we may still be able to get them back via other tool? I assume the key is embedded in the downloaded executable?

 

The decryptor is called "Decryption_Software.EXE". It's 110kb. Any assistance would be greatly appreciated. Thanks

 

---------------------------------------------------------------------------

The sample has been identified as

 

Sample indicates Crypt0L0cker
 
Identified by
  • ransomnote_filename: HOW_TO_RESTORE_FILES.html
  • ransomware_tracker: ojmekzw4mujvqeju.fineboy.at (Payment Site)*
  • sample_extension: .enc
  • ransomnote_keyword: "Crypt0L0cker"


BC AdBot (Login to Remove)

 


#2 paulylah

paulylah
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 22 December 2017 - 06:40 PM

Just an update,

 

I have retrieved the public Key from the exe they sent us. Now, what sort of tool can I use to decrypt? Thanks



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 22 December 2017 - 08:24 PM

If you received a working decrypter, you can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide. Our crypto malware experts may be able to get some information by analyzing the decrypter.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:03:10 PM

Posted 23 December 2017 - 12:39 PM

Dr.Web has a good success rate in decrypting Crypt0l0cker. Their tool is billed (150 €) only if they manage to recover all the files so even the PST of large sizes.

To see if Dr.Web rescue pack is able to decrypt this case you can submit here the link to download the HOW_TO_RESTORE_FILES.html file, 2-3 crypted doc files as well as a link to one of these 3 PST files which remain indecipherable for the moment. Kind regards,

Emmanuel



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:10 AM

Posted 26 December 2017 - 10:14 AM

I'd recommend going the Dr. Web route. I don't know enough about the crypto scheme used in Crypt0L0cker to write a decrypter efficiently. If they sent you a decrypter, it should have the private key used for the files though, so that may make things easier on Dr. Web's end hopefully.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 paulylah

paulylah
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 27 December 2017 - 01:01 AM

Hi everybody,

 

Thanks for all your responses

 

I would like to confirm that I have successfully decrypted the files. Some information for you all however, particularly if anybody else is suffering from the same issue:

 

1. Upon encryption the virus had caused these files to be marked read only, so when the decryptor ran, they were not decrypting correctly. If you are finding that you have the same issue and your decryptor tool isn't working, please confirm the permissions on all files.

 

2. Its obvious that the initial encryption had not fully encrypted the files. I can tell this because the process of decryption took only seconds. In reality, it would take a long time to decrypt 50GB i think, with heavy CPU load. It was only a few seconds with little to no cpu load at all, which makes me think they it only encrypts a very small part of the file, and changes the file extension. This means that if you are suffering from encryption by this virus you may be able to retrieve the magority of your email data using a PST recovery tool. This is probably by design as it would take just as long to encrypt large files, so the virus tries to increase its efficency by paying little attention to these very large files so it can encrypt the most possible number of smaller ones.

 

Happy holidays to everybody!



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 27 December 2017 - 07:17 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users