CryptoLocker victims can recover encrypted files

News by Doug Drinkwater

A new online portal allows the estimated 545,000 CrytoLocker victims to freely recover files that were once encrypted by the ransom-demanding malware.

Security researchers at malware defence company FireEye and Netherlands-based outfit Fox-IT built the online portal after finding a copy of CryptoLocker's database of victims after the take-down of the Gameover Zeus botnet – which was used to distribute the ransomware – three months ago.

A spokesperson for FireEye said that a back-up of CryptoLocker was transferred to their infrastructure after the take-down, at which point they discovered the database of private encryption keychains.

The DecryptCryptoLocker tool is available free online at and lets users identify a CryptoLocker-encrypted file, upload it to the portal, receive the private key and a link to download and install the decryption tool run locally on their PC. On running the tool locally and using the private key, they should then be able to decrypt files on their PC's hard-drive.

FireEye officials have advised people to not submit files that contain sensitive or personally-identifiable information.

CryptoLocker is reported to have infected some 545,000 users on Windows PCs but was famously disrupted back in May, when various law enforcement agencies clubbed together in ‘Operation Tovar' to take control of the malware's command-and-control (C&C) infrastructure, as well as that controlling Gameover Zeus.

The attack required users to pay ransoms of £327, £317 or the equivalent in the Bitcoin virtual currency within 72 hours in order to get their files back unencrypted. A failure to pay the ransom within that time would result in the master encryption key being destroyed, meaning that users would lose the files for good.

It is estimated that only 1.3 percent of victims paid the ransom – as most were able to restore the them from back-up, but this was still enough for the cyber-criminal group behind the malware to net around US$3 million (£1.78 million). It's worth noting, however, that Bitcoin value has fluctuated widely in recent times.

The take-down saw the FBI charge alleged ringleader Evgeniy Bogachev, who is now believed to be living in Russia.

In recent times, new versions of both Gameover and CryptoLocker have emerged, with cyber-criminals quickly moving onto new infrastructure.

Pete Wood, IT security consultant and CEO of UK-based pentester First Base Technologies, said that the news is the latest sign that cyber-criminals ‘can't get away with everything', even if they are using anonymising technologies and operating across numerous jurisdictions, and added that it shows how cyber-crime collaboration continues to improve in the public and private sector.

“It's tremendous news – I've always been a great supporter of working with law enforcement as well as you can. It's part of the social responsibility you've got to have in this space. If we can form strong links with the National Crime Agency (NCA), the Met and security services, we can all move in the same direction,” Wood told, adding that he was also encouraged that the two companies were educating users to not upload sensitive documents that could contravene the Data Protection Act or conflict with commercial interests.

But he warns that cyber-criminals are unlikely to give up with CryptoLocker, especially given its financial success.

“I would imagine so,” said Wood, on the possibility that criminals would continue to develop new iterations of the malware. “I don't imagine they would get off it that easily with it being such a successful criminal product.”

In an email with SC, veteran security researcher Graham Cluley agreed: “The criminals behind CryptoLocker won't have just rolled onto their backs and given up when their CryptoLocker revenue stream was disrupted.  They'll be looking for other ways to make money.”

Wood continued that while FireEye and Fox-IT had grabbed private keys, undermining the algorithm behind CryptoLocker would be another thing entirely and said that threat actors may have learnt something too from the take-down in May.

Jonathan Care, a UK-based security technologist and architect, agreed with Wood, saying, “It's good to see security companies like FireEye and Fox-IT standing up and providing this service to the community.” He told SC by email: “What would be even better would be if they were willing to release the solution itself. Open source disclosure of "this is how we beat the bad guys" strengthens the defensive security community as a whole, and puts the bad guys on notice that their tricks are being exposed to the light of public scrutiny.”

Writing on Virus Bulletin, meanwhile, security researcher Martin Grooten warned that businesses shouldn't take this as a sign that the encryption itself has been cracked.

“While this is certainly good news for those who have had their files encrypted with this ransomware, it is important to note that the encryption itself still hasn't been cracked. Moreover, following the 'success' of CryptoLocker, many copycats have sprung up (even including one targeting NAS devices)."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews