Skip to main content

How to Decrypt Files Encrypted by Crypto Virus (Cryptolocker Cryptowall & others)

I have faced this virus when a friend of mine asked for assistant, he does work in an oil services company and they have their shared files compromised by a Cryptolocker copycat, which is actually harder than the original known virus.

I will explain why it's harder.

How does the cryptoware or ransom-ware viruses works

This viruses does a simple job, it scans your PC for any storage devices included network mapped drives, than it scans them for DOC, PDF and other types of documents, in some cases pictures and videos.
After the scan it start encrypting the files, all of this happens silently without you noticing anything, it uses a key to encrypt your files, and sends that key to the creator of the virus, than the virus shows you a page that asks you for payment within 48 hours or the key will be deleted and you will never get your files back.
In exchange for the key to get your files back you pay an amount usually around $600.

Isn't that cool?

It was cool when the first gang created cryptolocker which is now in jail, anyway the group gave the database which held keys to every locked machine in the world to the FBI and a website to help people get their files back is online.
What is not cool right now is the amount of copycats from developing countries that got the code or even made it them selves, they didn't cause much damage in the globe as the original group therefore nobody cares to catch them, one of the companies that got compromised is where my friend works, files was encrypted by a copycat virus which have nobody talking about it online which makes me think they are the only ones who got infected.

There I am the first to mention it now, the virus have a pattern of renaming extentions for example from "file.DOCX" into "file.DOCX.zpbjavl".

How to decrypt the files

Yes finally, how to get your files back after cryptolocker, cryptowall and sometimes other copycats.
Just click on the links to go to the how to pages they lead into.
  1. Using Kaspersky decryption tool.
  2. Obtain the key from decryptolocker.com by scanning an encrypted file.
  3. Using Panda ransomware decryption tool.
  4. Use this tool specially designed for files encrypted with cryptodefence.
  5. If you are infected with an older type of the virus, any program that recovers deleted files will do the trick.
And now how I decrypted the files?
I simply didn't, I had the time to identify the virus which is a copycat identical to cryptolocker from what I see in the hex editor but it uses another type of encryption, SHA512 which can take up to 300 trillion years to figure out the key on a good GPU or well, tons of money to rent a super computer which I don't think worth the files, one thing remaining is trying the tools above on the infected machine after connecting it back to the network with a chance that the key is still on the registry, which I am not going to do because I will just send this page to their IT manager.


How to prevent this in the future



  1. A good antivirus which is always up to date.
  2. Limited accounts for users in your company/business.
  3. Backup your files regularly.
  4. Have some IT rules for users.

Comments

Popular posts from this blog

Free Online Anti-Mosquito, Pest, Rats and Bugs Ultrasonic Generator

No need to download any files or apps, just open this page on any device no matter PC, Mac, Android, iOS, Palm OS, anything really can run this page, so make sure to bookmark it!

Ultrasonic Generator Features
Anti Mosquito.Anti Bugs like Cockroaches.Anti Other kinds of Pest.Anti Rats and other small animals.Anti Teens, yes it annoyed them too much they will leave you alone. Usage:Just open this page, scroll down and click start on any handheld, PC, MAC and others.Turn on the volume of your device up to max.Do not use headphones.You might not hear the sound if you are older than usually 20, if you have a good hearing than you will.
Click start below to get the ultrasonic started.

STARTSTOP

Is tor2web.org Safe and Anonymous

Websites like tor2web.org are handy when it comes to quick access to any onion domain aka darknet, deepweb and hidden web, however by using this websites you are giving the chance to the proxy server which is on this case tor2web or tor2web alternatives to it to log your IP and what exact domains within the TOR network you have browsed and for how long, also what files you have downloaded.

In other words nothing beats the real deal using TOR and or TOR browser bundle complete package where you can become also a rely and help the network while being anonymous "Kind of".

Read the below from onions wiki at reddit.
Are sites like onion.to and tor2web.org safe? Sites such as onion.to and tor2web.org will allow you to access Tor hidden services (.onion sites) with out using Tor itself. While this can be handy it is generally not advised as the people operating onion.to and tor2web.org will know what .onion sites you accessed and what your IP address is. If they keep logs, or were …