Skip to main content

How to Decrypt Files Encrypted by Crypto Virus (Cryptolocker Cryptowall & others)

I have faced this virus when a friend of mine asked for assistant, he does work in an oil services company and they have their shared files compromised by a Cryptolocker copycat, which is actually harder than the original known virus.

I will explain why it's harder.

How does the cryptoware or ransom-ware viruses works

This viruses does a simple job, it scans your PC for any storage devices included network mapped drives, than it scans them for DOC, PDF and other types of documents, in some cases pictures and videos.
After the scan it start encrypting the files, all of this happens silently without you noticing anything, it uses a key to encrypt your files, and sends that key to the creator of the virus, than the virus shows you a page that asks you for payment within 48 hours or the key will be deleted and you will never get your files back.
In exchange for the key to get your files back you pay an amount usually around $600.

Isn't that cool?

It was cool when the first gang created cryptolocker which is now in jail, anyway the group gave the database which held keys to every locked machine in the world to the FBI and a website to help people get their files back is online.
What is not cool right now is the amount of copycats from developing countries that got the code or even made it them selves, they didn't cause much damage in the globe as the original group therefore nobody cares to catch them, one of the companies that got compromised is where my friend works, files was encrypted by a copycat virus which have nobody talking about it online which makes me think they are the only ones who got infected.

There I am the first to mention it now, the virus have a pattern of renaming extentions for example from "file.DOCX" into "file.DOCX.zpbjavl".

How to decrypt the files

Yes finally, how to get your files back after cryptolocker, cryptowall and sometimes other copycats.
Just click on the links to go to the how to pages they lead into.
  1. Using Kaspersky decryption tool.
  2. Obtain the key from decryptolocker.com by scanning an encrypted file.
  3. Using Panda ransomware decryption tool.
  4. Use this tool specially designed for files encrypted with cryptodefence.
  5. If you are infected with an older type of the virus, any program that recovers deleted files will do the trick.
And now how I decrypted the files?
I simply didn't, I had the time to identify the virus which is a copycat identical to cryptolocker from what I see in the hex editor but it uses another type of encryption, SHA512 which can take up to 300 trillion years to figure out the key on a good GPU or well, tons of money to rent a super computer which I don't think worth the files, one thing remaining is trying the tools above on the infected machine after connecting it back to the network with a chance that the key is still on the registry, which I am not going to do because I will just send this page to their IT manager.


How to prevent this in the future



  1. A good antivirus which is always up to date.
  2. Limited accounts for users in your company/business.
  3. Backup your files regularly.
  4. Have some IT rules for users.

Comments

Popular posts from this blog

Best Web Hosting Hosting Ever - HostMonster.com

You all know HostMonster.com, they are known for the power of their services and up-time, the big storage and more, but now they got even better the holy "UNLIMITED EVERYTHING".
and yes do trust them.
Guess how much : 5.95 a month

Hosting Features:
Disk Storage Unlimited
Host UNLIMITED DOMAINS
Free Domain Name
Free Drag and Drop Site Builder
Support International Domain Names
POP3/POP3 Secure Email Support Unlimited
IMAP/Secure IMAP Email Support Unlimited
Gigs of Site Transfer Unlimited
Forwarding Email Accounts Unlimited
Email Autoresponder Unlimited
Add-on Domains Unlimited
Parked Domains Unlimited
Subdomains Unlimited
Additional FTP Accounts Unlimited
MySQL Databases 100
PostgreSQL Databases 100
IMAP/secure IMAP Email Support
3 Different Web Based Email Solutions
CGI-BIN
CGI Library
Server Side Includes
Frontpage 2000/2002 Extensions
Account "Control Panel"
FTP Access
Shell Access (SSH)
Override .htaccess Support
Anonymous …

Tria Mera - 666 - The truth

Following is a reference to the movie white noise, what you see on this page is not my opinion, and I am not interested on this stuff, if you come here than you are probably searching after watching the movie or researching tria mera term, this is for educational purposes only.



The expression, Third Day, appears in several narratives in the Bible. (Occasionally, it is “three days.”) Some biblical interpreters have thought that some of these third day motifs have significance by signifying a certain divine principle, and a few interpreters have thought that they are cryptic in meaning. Why? Interestingly, these narratives record some of the most important events in the history of Israel. And surprisingly, except for the Bible’s mention of the third day, the seventh day, and its account of creation in Genesis 1, the Bible rarely mentions the other days of the week.
The Number of the Beast is described in the Book of Revelation 13:18. From the King James translation:[5]
Here is wisdom. L…

Hacking With Google, Spy Cams

This is a quick post since I have to sleep and feel so tired ...
by searching for one of these strings on google :
inurl:ViewerFrame?Mode="
inurl:MUltiCameraFrame:?Mode="
inurl:view/index.shtml"
inurl:axis-cgi/mjpg"
inurl:ViewerFrame?Mode="
inurl:MultiCameraFrame:?Mode="
You will be able to view other people webcams, not everyone, but everyone that have a cam can be viewed on any browser by writing the ip address with the pc connected to it, and indexed by Google since you can access that on port 80 or 8080 ...


Some examples ready to go "it took forever to list them here" :
http://210.155.197.108/ViewerFrame?Mode=Motion&Language=1
http://shiretoko.miemasu.net/ViewerFrame?Mode=Motion&Language=1
http://219.166.247.165/ViewerFrame?Mode=Motion&Language=1
http://208.0.229.84/ViewerFrame?Mode=Motion&Language=0
http://220.254.98.19/ViewerFrame?Mode=Motion&Language=1
http://vhshop.cmauto.com:8002/ViewerFrame?Mode=Motion&Language=0
ht…