FireEye, Fox-IT release tool to help victims of CryptoLocker ransomware


FireEye and Fox-IT last week unveiled a free service that aims to assist victims of CryptoLocker ransomware. Dubbed DecryptCryptoLocker, the website hosts a recovery app that can recover CrytoLocker-encrypted files with the use of the correct private key. Due to reverse-engineering work done by the researchers, this private key can be retrieved by uploading any encrypted file for each affected system, and furnishing an email address for the secret key to be delivered to.

"Through various partnerships and reverse engineering engagements, Fox-IT and FireEye have ascertained many of the private keys associated with CryptoLocker. Having these private keys allows for decryption of files that are encrypted by CryptoLocker," explained an entry on the FireEye blog.

As we reported late last year, it was estimated by security vendor Bitdefender that the CryptoLocker malware is infecting more than 10,000 victims on a weekly basis. Up to 500,000 victims are believed to be snared to date, with an estimated 1.3% of CryptoLocker victims having paid the ransom. That figure means the operators may have generated revenue as high as $3 million.

The many CryptoLocker hybrids--which ranges from programs such as CryptoDefense, PowerLocker, TorLocker and CryptorBit, as well as other unnamed variants--means that recovery is not guaranteed due to differences in implementations. In addition, the requisite decryption key may simply not be in the database.

"There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, the tools discussed here may not successfully decrypt files encrypted by every variant because of differences in the programs or for other reasons," researchers from FireEye wrote. "Also, while we have many unlocking keys, there is a possibility that we will be unable to decrypt your files."

Finally, it is worth noting that the decryption tool is a command line application, so users who are less computer savvy may want to seek the help of their IT departments or IT-savvy friends before proceeding.

The Fierce Take: Ransom malware such as Cryptolocker can affect SMBs and enterprises alike, since data on shared storage could also end up being forcibly encrypted. Obviously, regular data backups could reduce or eliminate the damage caused by such malware.

For more:
- check out this article at ZDNet
- check out this article at Ars Technica

Related Articles:
CryptoDefense ransomware leaves copy of encryption key by mistake
Cryptolocker 'ransomware' seem to be targeting systems from the US
New ransomware blends use of advanced encryption, Tor and Bitcoin