How to recover from a CryptoLocker attack

CryptoLocker is a trojan which targets computers running Microsoft Windows. It may come in several forms, often disguised as a legitimate email attachment. Or, it may be uploaded to a computer already recruited to a botnet during a previous trojan infection.

When activated, CryptoLocker encrypts files (e.g., photos and those with Microsoft Office, OpenDocument, and AutoCAD file extensions) using RSA public key cryptography and with the private key stored only CryptoLocker’s control servers. This renders the files inaccessible to the user.

Next, CryptoLocker displays a message which offers to decrypt the data if a payment (usually by Bitcoin and averaging about $300.00 US) is made by a deadline. The message also threatens to delete the RSA private key if the deadline passes. If the deadline is not met, the malware offers to decrypt the files via an online service provided by the malware’s operators, for a significantly higher price.

The CryptoLocker ransom demand.

The CryptoLocker ransom demand.

This kind of trojan is known as ransomware because the user’s files are held captive (encrypted and inaccessible) until the demanded sum is paid. CryptoLocker has hit over 600,000 computer systems worldwide as of this writing and, although the CryptoLocker application itself can be readily removed from infected systems, the files remained encrypted in a way which was almost impossible to reverse.

Until now.

DecryptCryptoLocker is a free service jointly developed by researchers at FireEye and Fox-IT that allows anyone who has been hit with a CryptoLocker attack to regain access to their files.


The DecryptCryptoLocker home page.

After providing an email address and uploading a file (preferably, one that does not contain any sensitive information) encrypted by CryptoLocker, users are emailed a master decryption key along with a download link to a recovery program that can be used to repair the encrypted files.

Each infected system will require its own unique master decryption key. So, if a user has multiple systems compromised by CryptoLocker, he will need to repeat this procedure for each compromised system.

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss