How To Recover A CryptoLocker Infected Hard Drive

CryptoLocker is a ransomware which is just simple and devastating. Up until now, computers effected by CryptoLocker were unusable unless you paid the demanded monetary payment.

We have already covered what CryptoLocker is previously. In short, it is a ransomware trojan which is specifically designed to infect computers running Windows operating system. Once a computer is infected, it encrypts all the data present in the local storage, mapped network drives and any mounted removable drives using 2048-bit RSA public key cryptography, essentially rendering all the files unusable. Unless you pay the ransom (300 USD or equivalent Bitcoins), you won’t be able to get your files back.

decrypt-cryptolocker-files-warning-window

Up until now, there was no way to recover the data encrypted by CryptoLocker.

Thanks to the researchers at Fox-IT and FireEye, though, who managed to recover the private encryption keys and Kyrus Technologies for building the actual decryption engine. Combining the efforts, these security firms launched a website which can be used by the victims of CryptoLocker to decrypt their encrypted files free of charge.

To decrypt your CryptoLocker infected files, just head over to decryptcryptolocker.com. In order to find the decryption key, you need to submit a sample of your encrypted file and your email address so that the website can send you the decryption keys and the free program to decrypt the encrypted files. Don’t worry, your email address will not be used for any marketing purposes (according to the website). Only upload the files that have no sensitive information.

So go ahead –  enter you email address, click on the “Choose file” button -> select a sample CryptoLocker encrypted file, enter the CAPTCHA code and click on the “Decrypt” button.

decrypt-cryptolocker-files-submit-files

Once you have submitted the sample file, the file will be processed and the website will send you the decryption key (private key) along with a link to download the decryption program.

decrypt-cryptolocker-files-email

Once you have received the decryption key and the decryption tool via email, launch the decryption tool and use the command below to start decrypting your encrypted files.

Decryptolocker.exe –key "<key>" <Lockedfile.doc>

Unfortunately, the tool provided doesn’t automatically decrypt all the files in your PC. i.e. you have to decrypt one file at a time unless you know how to automate things using Windows Powershell or batch scripting. You can find more information on CryptoLocker decryption on FireEye’s website.

CryptoLocker is nasty malware which feeds on users’ precious data. If you are infected by CryptoLocker, you can use the above service to get your files back. In addition, make sure you are using a good anti-virus software to protect yourselves from any future attacks. Do note that even though this process (hopefully) works with CryptoLocker, it may not be able to decrypt the files encrypted by CryptoLocker variants like CryptoBit, CryptoDefense, etc.