I will explain why it's harder.
How does the cryptoware or ransom-ware viruses worksThis viruses does a simple job, it scans your PC for any storage devices included network mapped drives, than it scans them for DOC, PDF and other types of documents, in some cases pictures and videos.
After the scan it start encrypting the files, all of this happens silently without you noticing anything, it uses a key to encrypt your files, and sends that key to the creator of the virus, than the virus shows you a page that asks you for payment within 48 hours or the key will be deleted and you will never get your files back.
In exchange for the key to get your files back you pay an amount usually around $600.
Isn't that cool?It was cool when the first gang created cryptolocker which is now in jail, anyway the group gave the database which held keys to every locked machine in the world to the FBI and a website to help people get their files back is online.
What is not cool right now is the amount of copycats from developing countries that got the code or even made it them selves, they didn't cause much damage in the globe as the original group therefore nobody cares to catch them, one of the companies that got compromised is where my friend works, files was encrypted by a copycat virus which have nobody talking about it online which makes me think they are the only ones who got infected.
There I am the first to mention it now, the virus have a pattern of renaming extentions for example from "file.DOCX" into "file.DOCX.zpbjavl".
How to decrypt the files
Yes finally, how to get your files back after cryptolocker, cryptowall and sometimes other copycats.
Just click on the links to go to the how to pages they lead into.
- Using Kaspersky decryption tool.
- Obtain the key from decryptolocker.com by scanning an encrypted file.
- Using Panda ransomware decryption tool.
- Use this tool specially designed for files encrypted with cryptodefence.
- If you are infected with an older type of the virus, any program that recovers deleted files will do the trick.
And now how I decrypted the files?
I simply didn't, I had the time to identify the virus which is a copycat identical to cryptolocker from what I see in the hex editor but it uses another type of encryption, SHA512 which can take up to 300 trillion years to figure out the key on a good GPU or well, tons of money to rent a super computer which I don't think worth the files, one thing remaining is trying the tools above on the infected machine after connecting it back to the network with a chance that the key is still on the registry, which I am not going to do because I will just send this page to their IT manager.
How to prevent this in the future
- A good antivirus which is always up to date.
- Limited accounts for users in your company/business.
- Backup your files regularly.
- Have some IT rules for users.