Pinterest Stumbleupon Whatsapp
Ads by Google

Good news for anyone affected by Cryptolocker. IT security firms FireEye and Fox-IT have launched a long-awaited service to decrypt files held hostage by the notorious ransomware Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More .

This comes shortly after researchers working for Kyrus Technology released a blog post detailing how CryptoLocker works, as well as how they reverse engineered it to acquire the private key used to encrypt hundreds of thousands of files.

The CryptoLocker trojan was first discovered by Dell SecureWorks last September. It works by encrypting files that have specific file extensions, and only decrypting them once a ransom of $300 had been paid.

Although the network that served the Trojan was eventually taken down, thousands of users remain separated from their files. Until now.

Have you been hit by Cryptolocker? Want to know how you can get your files back? Read on for more info.

Cryptolocker: Let’s Recap

When Cryptolocker first burst on the scene, I described it as the ‘nastiest malware ever CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker is a type of malicious software that renders your computer entirely unusable by encrypting all of your files. It then demands monetary payment before access to your computer is returned. Read More ‘. I’m going to stand by that statement. Once it gets its hands on your system, it’ll seize your files with near-unbreakable encryption and charge you a small fortune in Bitcoin to get them back.

Ads by Google

It didn’t just attack local hard drives, either. If there was an external hard drive or a mapped network drive connected to an infected computer, it too would be attacked. This caused havoc in businesses where employees often collaborate and share documents on network attached storage drives.

cryptolocker-example

The virulent spread of CryptoLocker was also something to behold, as was the phenomenal amount of money it pulled in. Estimates range from $3m to a staggering $27m, as victims paid the ransom that was demanded en-masse, eager to get their files back.

Not long after, the servers used to serve and control the Cryptolocker malware were taken down in ‘Operational Tovar‘, and a database of victims was recovered. This was the combined efforts of police forces from multiple countries, including the US, the UK, and most European countries, and saw the ringleader of the gang behind the malware indicted by the FBI.

Which brings us to today. CryptoLocker is officially dead and buried, although many people are unable to get access to their seized files, especially after the payment and control servers were taken down as part of Operation Server.

But there’s still hope. Here’s how CryptoLocker was reversed, and how you can get your files back.

How Cryptolocker Was Reversed

After Kyrus Technologies reverse engineered CryptoLocker, the next thing they did was to develop a decryption engine.

Files encrypted with the CryptoLocker malware follow a specific format. Each encrypted file is done with an AES-256 key that is unique to that particular file. This encryption key is then subsequently encrypted with a public/private key pair, using a stronger near-impervious RSA-2048 algorithm.

The public key generated is unique to your computer, not the encrypted file. This information, in conjunction with an understanding of the file format used to store encrypted files meant that Kyrus Technologies were able to create an effective decryption tool.

cryptolocker-encryption

But there was one problem. Although there was a tool to decrypt files, it was useless without the private encryption keys. As a result, the only way to unlock a file encrypted with CryptoLocker was with the private key.

Thankfully, FireEye and Fox-IT has acquired a significant proportion of the Cryptolocker private keys. Details about how they managed this are thin on the ground; they simply say they got them through ‘various partnerships and reverse engineering engagements’.

This library of private keys and the decryption program created by Kyrus Technologies means that victims of CryptoLocker now have a way to get their files back, and at no cost to them. But how do you use it?

Decrypting A CryptoLocker Infected Hard Drive

First, browse to decryptcryptolocker.com. You’re going to need a sample file that has been encrypted with the Cryptolocker malware to hand.

Then, upload it to the DecryptCryptoLocker website. This will be then be processed, and (hopefully) return the private key associated with the file which will then be emailed to you.

cryptolocker-decryptolocker

Then, it’s a matter of downloading and running a small executable. This runs on the command line, and requires that you specify the files you wish to decrypt, as well as your private key. The command to run it is:

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Just to re-iterate – This won’t automatically run on every affected file. You’ll need to either script this with Powershell or a Batch file, or run it manually on a file-by-file basis.

So, What’s The Bad News?

It’s not all good news though. There are a number of new variants of CryptoLocker that continue to circulate. Although they operate in a similar fashion to CryptoLocker, there’s no fix for them yet, other than paying the ransom.

More bad news. If you’ve already paid the ransom, you’re probably never going to see that money ever again. Although there have been some excellent efforts made at dismantling the CryptoLocker network, none of the money earned from the malware has been recovered.
cryptolocker-storage

There’s another, more pertinent lesson to be learned here. A lot of people made the decision to wipe their hard drives and start afresh rather than pay the ransom. This is understandable. However, these people will not be able to take advantage of DeCryptoLocker to recover their files.

If you get hit with similar ransomware Don't Pay Up - How To Beat Ransomware! Don't Pay Up - How To Beat Ransomware! Just imagine if someone showed up on your doorstep and said, "Hey, there's mice in your house that you didn't know about. Give us $100 and we'll get rid of them." This is the Ransomware... Read More and you don’t want to pay up, you might want to invest in a cheap external hard-drive or USB Drive and copy your encrypted files over. This leaves open the possibility of recovering them at a later date.

Tell Me About Your CryptoLocker Experience

Were you hit by Cryptolocker? Have you managed to get your files back? Tell me about it. The comments box is below.

Photo Credits: System Lock (Yuri Samoiliv)OWC external hard drive (Karen).

  1. Sven B. Svensson
    October 31, 2016 at 12:17 pm

    Thanks a lot for your informative article. I was hit by this cryptolocker and I sent the laptop to our IT headquarter and they couldnt do any thing about it Im afraid.
    SO Im stuck with finding out myself if there is a possibility to get my fies back without paying aa fortune for it. I tried to access the decryptolocker website but the link was dead.

  2. Ayobami
    September 7, 2016 at 5:32 pm

    I have been hit by almost 5he same, crypmic ransome ware , i dont know wht to do

  3. Steve
    July 7, 2016 at 10:04 am

    Has any one found a new site that will Decrypt the Crytolocker files???

  4. Morson
    April 26, 2016 at 9:02 pm

    If the key would be sent to the owner from my private LAN network, is there any way to take it over?
    I mean , how it's look like for my home router? If someone using sniffer and save logs from all traffic is there a possibility to transform logs into rainbow tables ?
    If I recover some deleted files and try to do some dictionary attack on encrypted file and compare the healthy checksums with result of decoding is there any possibility to make it?

  5. bob
    April 14, 2016 at 7:22 am

    This was posted today and the link doesnt work? WTF man.

  6. Terry
    March 15, 2016 at 2:52 am

    TERRY........If you have Carbonite they can go back to a point in time before your infection date and restore your files. Good News!

  7. Thomas
    January 21, 2016 at 4:33 pm

    I see the Decryptolocker page is gone. I submitted a file of mine there and it came back with nothing, hence I believe I have one of the variants.

    Do I have any chance of getting my files back?

    PLEASE help!

  8. Daphne Patch
    October 17, 2015 at 4:09 pm

    Any reason why I can't open the DecryptCryptoLocker website? Hoping to get some of my pictures back.

  9. David Haynes
    July 30, 2015 at 9:30 am

    My name is Taft David Haynes my email is taftdavidhaynes@hotmail.com if you have any information that can help me please email me. I had just a few corrupted jpeg images. I did a search and found a jpeg repair download. I can't remember the name of it, but I know that is how I got the cryptolocker virus. My malewarebytes antimaleware software tried to warn me, it siad the download was suspicious, it didn't say dangerous or harmjust suspicious. So i made the mistake of ignoring my warning. Big, Big, Big mistake. I had download the cryptolocker virus. It even told me its name, and it titled many of my files as Cryptolocker. I found the fire eye website. I uploaded a file to them at decryptcryptolocker.com However after it scanned the file it said I didnot have the cryptolocker virus. All my personal files re encrypted. Also on thousands and thousands of non personal files it says HELP RESTORE FILE all throught just about every program every file every where on my system. I ran my malewarebytes program and my laptop works but still need help.

  10. Bill Wakefield
    July 10, 2015 at 4:33 pm

    The decryptcryptolocker.com. website has been taken down by Fix it and FireEye (WHY WOULD THEY TAKE IT DOWN!) Anyone have any other locations for the Keys?

    Thanks

  11. Sourabh Trehan
    June 21, 2015 at 8:45 pm

    hi
    recently in may 2015 i got hit by cryptolocker
    all my files are encrypted now
    i don't have any backup to my files
    i uploaded encrypted files to decryptolocker but it says , "The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file"
    please somebody help
    i really need tose files
    my email id is sourabh.trehan22@gmail.com

  12. Vito Scaletta
    June 20, 2015 at 6:58 am

    Unfortunately my data have been infected through an email hastly opened :( Instructions in txt messages added to any folder i have said it was an RSA-2048 Cryptoloker. I tried to upload my files to get my unique key, byt site doesn't recognizes and says "thi is not a cryptolocker infected file" :(

  13. Russ Goeckner
    June 18, 2015 at 4:49 pm

    We are fairly certain that our infection came from an email that an office girl opened in haste. Other than the OS, everything is un useable. Our file extensions have not been changed though and we can even open documents but they are un readable. I tried to upload several to the Decryptolocker site but it says is not infected with Cryptolocker. I think we have a new starin of it.

  14. Vandana
    May 19, 2015 at 6:11 pm

    Hit very badly, all files which could be encrypted, have been, and am just not able to decrypt files: tried FireEye, Panda, decrypt_dblblock, rannohdecryptor.exe. Now what? Infact I dont even know which specific virus has hit since the files names stay the same as original and do not get appended by anything, and on the desktop there is no html with the list of affected files.

  15. John
    May 8, 2015 at 6:46 pm

    Just been hit with what seems to be the Cryptolocker as all files are encrypted with an "EXX" file extension. Anyone got an answer?

    • Ken
      May 9, 2015 at 9:29 pm

      John, I was also hit this week with what seems to be Cryptolocker - same file extension "exx" added to the end of each file. I have a USB backup with all my photos and video files, but have not checked it yet to see if it was also infected. I have critical Excel and Word files etc... that I'm certain are encrypted, but were not backed up. I am not 100% sure how to first remove the virus from the Registry entries etc... I understand there may be a registry variable that keeps a list of the infected files by name. If the virus is removed, does the list of infected files go away. I shut my computer down when it was using 100% of the CPU power. I tried to right click to get Task manager up to see what was going on, but it wouldn't load. I am now concerned about starting the computer again and having the virus kick off and encrypt more files. I understand it may even run in "Safe Mode". I never saw the Red box alert, but I did restart my computer once thinking it would stop whatever had been running, and I got a text box message similar to Notepad on my Desktop with essentially the same message that others received via the wallpaper. It said I was hit with high end encryption RSA-2048 and requested 2 bitcoins. It also mentioned something about a Tor Browser.

      It would be helpful if someone could outline the steps to removing the virus (Win 7 Pro). I understand Malwarebytes may remove it, but there are so many versions - Free, Premium - not sure which to use. I am running McAfee Total Protection, but that doesn't seem to have saved me from this demon.

      Also I had a USB drive attached to my desktop (for backup) I don't know if any files were impacted yet. I am concerned about attaching it to my laptop. If files were encrytped, is there a way for it to spread to my laptop? Can I protect my laptop before attaching the USB drive to it to look at the files?

      Proposed steps for recovery: (please submit your suggestions)
      1- download software to remove virus (which one?) 2- copy all untouched files to a new clean USB drive 3- look for shadow files of encrypted files 4- upload an encryted file to the FireEye Fox IT site to see if there is a key available to decrypt my files.

      For the record I am embarrassed to say I received a pop-up that was a Microsoft Install message. Stating Microsoft needed to update "something", I clicked on no about 12 times, and it wouldn't go way. The red X in the top corner didn't work either. I clicked on the link to check the security certificate, and it had a simple tree of three layers stating everything was certified and up to date by Microsoft. Finally I got fed up and clicked Yes to install/update - a decision I will regret for some time....

      Any and all help is appreciated!!

    • Ken
      May 9, 2015 at 9:34 pm

      John, I was also hit this week with what seems to be Cryptolocker - same file extension "exx" added to the end of each file. I have a USB backup with all my photos and video files, but have not checked it yet to see if it was also infected. I have critical Excel and Word files etc... that I'm certain are encrypted, but were not backed up. I am not 100% sure how to first remove the virus from the Registry entries etc... I understand there may be a registry variable that keeps a list of the infected files by name. If the virus is removed, does the list of infected files go away. I shut my computer down when it was using 100% of the CPU power. I tried to right click to get Task manager up to see what was going on, but it wouldn't load. I am now concerned about starting the computer again and having the virus kick off and encrypt more files. I understand it may even run in "Safe Mode". I never saw the Red box alert, but I did restart my computer once thinking it would stop whatever had been running, and I got a text box message similar to Notepad on my Desktop with essentially the same message that others received via the wallpaper. It said I was hit with high end encryption RSA-2048 and requested 2 bitcoins. It also mentioned something about a Tor Browser.

      It would be helpful if someone could outline the steps to removing the virus (Win 7 Pro). I understand Malwarebytes may remove it, but there are so many versions - Free, Premium - not sure which to use. I am running McAfee Total Protection, but that doesn't seem to have saved me from this demon.

      Also I had a USB drive attached to my desktop (for backup) I don't know if any files were impacted yet. I am concerned about attaching it to my laptop. If files were encrytped, is there a way for it to spread to my laptop? Can I protect my laptop before attaching the USB drive to it to look at the files?

      Proposed steps for recovery: (please submit your suggestions)
      1- download software to remove virus (which one?) 2- copy all untouched files to a new clean USB drive 3- look for shadow files of encrypted files 4- upload an encryted file to the FireEye Fox IT site to see if there is a key available to decrypt my files.

      For the record I am embarrassed to say I received a pop-up that was a Microsoft Install message. Stating Microsoft needed to update "something", I clicked on no about 12 times, and it wouldn't go way. The red X in the top corner didn't work either. I clicked on the link to check the security certificate, and it had a simple tree of three layers stating everything was certified and up to date by Microsoft. Finally I got fed up and clicked Yes to install/update - a decision I will regret for some time....

      Any and all help is appreciated!!

    • Ken
      May 9, 2015 at 9:50 pm

      John, I was also hit this week with what seems to be Cryptolocker - same file extension "exx" added to the end of each file. I have a USB backup with all my photos and video files, but have not checked it yet to see if it was also infected. I have critical Excel and Word files etc... that I'm certain are encrypted, but were not backed up. I am not 100% sure how to first remove the virus from the Registry entries etc... I understand there may be a registry variable that keeps a list of the infected files by name. If the virus is removed, does the list of infected files go away. I shut my computer down when it was using 100% of the CPU power. I tried to right click to get Task manager up to see what was going on, but it wouldn't load. I am now concerned about starting the computer again and having the virus kick off and encrypt more files. I understand it may even run in "Safe Mode". I never saw the Red box alert, but I did restart my computer once thinking it would stop whatever had been running, and I got a text box message similar to Notepad on my Desktop with essentially the same message that others received via the wallpaper. It said I was hit with high end encryption RSA-2048 and requested 2 bitcoins. It also mentioned something about a Tor Browser.

      It would be helpful if someone could outline the steps to removing the virus (Win 7 Pro). I understand Malwarebytes may remove it, but there are so many versions - Free, Premium - not sure which to use. I am running McAfee Total Protection, but that doesn't seem to have saved me from this demon.

      Also I had a USB drive attached to my desktop (for backup) I don't know if any files were impacted yet. I am concerned about attaching it to my laptop. If files were encrytped, is there a way for it to spread to my laptop? Can I protect my laptop before attaching the USB drive to it to look at the files?

      Proposed steps for recovery: (please submit your suggestions)
      1- download software to remove virus (which one?) 2- copy all untouched files to a new clean USB drive 3- look for shadow files of encrypted files 4- upload an encryted file to the FireEye Fox IT site to see if there is a key available to decrypt my files.

      For the record I am embarrassed to say I received a pop-up that was a Microsoft Install message. Stating Microsoft needed to update "something", I clicked on no about 12 times, and it wouldn't go way. The red X in the top corner didn't work either. I clicked on the link to check the security certificate, and it had a simple tree of three layers stating everything was certified and up to date by Microsoft. Finally I got fed up and clicked Yes to install/update - a decision I will regret for some time....

      Any and all help is appreciated!!

  16. Erik
    May 8, 2015 at 5:51 pm

    Guys, do you know, if you wipe out you whole computer, can your computer get infected from google drive (which now is decrypted for me)?

    Best Regards

  17. David
    May 8, 2015 at 1:50 pm

    My computer would not go on the internet, so I took it back to Best Buy, it was still under warranty. They said it was infected with Cryptolocker, and that was why it wouldn't go on the internet. All of my other devices work off of the modem and wi-fi, so it is just the one computer. If it is Cryptolocker, how do I fix if I can't get on the net?David

  18. Smith
    May 6, 2015 at 7:20 am

    Hey I got hit with cyberlocker last week and I just found out like today 5.4.15. I was not aware of it. It gave me a ransom to pay with in 72 hours or so. Since it have been over 72 hours. I lost all of my files. What can I do to get it back. Help.... I hope the programer of the virus would be killed soon.

    • Gravedigger
      August 15, 2016 at 8:27 pm

      I´ve saved a few really hot 23grains VVN110.44Rem.Mags hollowpoints. Man. Unmarked grave for you buddyi.

  19. Peter L
    April 29, 2015 at 10:04 am

    Have tried to upload a few infected files on decryptcryptolocker.com.
    However program is claiming that file is not encrypted!

    • Ignasi
      April 29, 2015 at 9:13 pm

      Hello all!! I've the same problem than Peter L, Telle...and some other!! Heeeelp!! Please Peter tell me if you've found a solution!!
      Best Regards!
      Ignasi

  20. Telle
    April 28, 2015 at 7:50 pm

    Same issue as reported by others for a cliente, encrypted files that are not recognised by the decryptolocker web. Files appear with .encrypted extension. It seems to be "Crypt0l0cker"

  21. Peter L
    April 28, 2015 at 12:57 pm

    Hi!
    Got hit after (by error) opening zip file in below mail with title "your account xxxx has been banned". This implied that most files on local hard drives and USB drives were encrypted and renamed with extension ylvkmsk.
    Fortunately the backup file on USB was not encrypted, so lesson learned here is that USB should only be mounted during backup!

    Details of mail:
    Subject: FW: Your account #111342333972 has been banned
    From: Cary Lagonia [mailto:priorizing@arbaspaa.com]
    Sent: 2015?4?27? 19:11
    To: T3-6300-China
    Subject: Your account #111342333972 has been banned

    Your account #111342333972 was banned for violation of our TOS.
    Please see attached.

    ===
    Cary Lagonia
    Zeißstr. 14 30519 Hannover
    GERMANY
    +49 511 83 90 88
    Hannover
    +49 511 87 37 29

  22. Dhananjay Chauhan
    April 19, 2015 at 11:12 pm

    Hello
    My all files are encrypted by CTB-Locker. it was very important data in my computer which now i lost. Please help me to recover my all data.

  23. ravi kaushal
    April 9, 2015 at 2:52 pm

    i got hit by crytolocker......then i restore my window..after that the crytolocker was removed but my files are still showing encryted as an invalid file.....any suggestion to recover it ....

  24. George Z
    March 22, 2015 at 10:17 am

    Downloaded decryptor.exe tool on PC windows 7 agreed to terms and conditions then screen disappears why?

  25. Alex
    March 9, 2015 at 2:21 pm

    I have lot of damaged files by CTB Locker onder " .rnfjtxj " extentions en I can not Decrypt it. Mine Outlook file also is damaged and loccked on that extention .

    Please someone help me...

    Best Regards,
    Alex

  26. Graham
    March 4, 2015 at 3:37 am

    im getting the same problem. every file i try to submit says "The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file." i found a scan tool that supposedly scans foldes for files that are possibly encryted but i still havent had any luck getting FireEye to help me at all.

  27. Robert
    March 3, 2015 at 8:58 pm

    Its says my files are encrypted and its seeking ransom but when i submit to your site it says the file is not encrpt?

  28. Travis_CAR
    March 2, 2015 at 10:51 pm

    Client computer came in with this issue, must be another variant because I too am getting the "this file isn’t infected by cryptolocker" on the two jpgs I uploaded. rename to just jpg gives me a thumbnail, but no more. Killing the thing is the easy part and most times I've seen it it only got as far as changing the background..... Fun thing is they use XP (SP3) and no restore points, so no shadow copy.

  29. Pete
    February 16, 2015 at 1:22 pm

    I don't know if it is Cryptolocker but I have been infected by a ransom virus that added ".VOIGRZK" to all .xls, .doc, .jpg, .ppt files and encrypted them so they can't be used. I contacted McAfee who connected me to Live PC Geeks who spent 2 days messing with my system only to end up with a PC that could no longer be booted and no usable data files. I added a new HDD and moved the infected disk to D: so I can still try to get the files back but no luck so far.
    I tried to send a sample file to fireeye but the upload screen just stays at the "...please wait..." screen and doesn't seem to work.
    Any thoughts?

  30. Pepita la Pistolera
    February 5, 2015 at 2:42 am

    Hola, Shadow Explorer funciona con ctb locker?

  31. Pepita la Pistolera
    February 5, 2015 at 2:41 am

    Hola, Shadow Explorer funciona con ctb locker?

  32. BKG
    February 4, 2015 at 3:58 pm

    hi guys, last year i encrypted my ADATA HD650 External hdd by windows 8 bit-locker, and recently i decided to decryption my ADATA HD650 External hdd, to use in old windows XP, first i removed bit-locker password, after In %91 of decryption i paused the decryption, and when i attached it again to continue the decryption, my windows 10 doesn't know hard disk and shows "access is denied"
    what should i do? i need my Projects :( 600 GB sos pls

  33. Rox
    February 1, 2015 at 2:06 am

    I got hot by ctb too. i have two different extensions attached to my files. I am desperate? does anyone have any solution for decryption? i read somewhere that attaching the hdd to a linux OS computer would help...but it did not say how.

    • Pepita la Pistolera
      February 5, 2015 at 2:43 am

      Hola, Shadow Explorer Hola, Shadow Explorer funciona con ctb locker? con ctb locker?

  34. Muhammed Shafeeque
    January 30, 2015 at 8:21 pm

    I also got the same problem. I think Virus is removed from my laptop with Kaspersky Rescue Disk. But the files are not decrypted yet. Please .................. anybody can help us?

  35. Gudo
    January 30, 2015 at 8:03 am

    Also got invected and leaves .jzjarof extension on my doc, pdf documents. Tried to use descrptlocker but failed because it says "this file isn't infected by cryptolocker". Can some assist. Levania i think we kind of the same problem. I manage to recover all files on the PC infected using shadows copies but failed on the file server because shadow copies is disabled. I really need those files badly.

  36. Mark
    January 29, 2015 at 10:09 pm

    Just got infected with CTB locker. Every malware program says they can remove it....but I tried 2 and after scanning.....the CTB virus doesn't even show up. I went to 'ransom' site and theres nothing there either. ANy suggestions ????

    • Dhananjay Chauhan
      April 19, 2015 at 11:17 pm

      Mr. Mark.
      I am facing same problem. My all files are encrypted by CTB Locker. i lost my all personal data.

  37. Levania
    January 27, 2015 at 6:54 am

    Hello, please can someone assist..
    i have a computer that has been infected with this ransom-ware. We have removed the virus however all the files are encrypted with the file extension eg. xls.klxfuxe
    we tried to use the decryptlocker but failed because the message "this file isn't infected by cryptolocker" comes up, we also tried shadow explorer and that didn't work as well.
    please can someone help!!!

  38. Ismajl
    January 23, 2015 at 9:34 pm

    HI i hope you are well a client of mine has this troyan they are encrypted by ctb-locker
    has anyone figured out how to decrypt the files
    thanks a lot .

    • Levania
      January 28, 2015 at 6:20 am

      Hi Ismail
      did you find a solution to decrypt the files?

  39. Jeff Jordan
    January 17, 2015 at 7:07 am

    The website wont upload the file. :(

    • Dale
      May 13, 2015 at 6:36 pm

      Same here.

    • Dale
      May 13, 2015 at 6:53 pm

      I'm no IT expert but using logic how has the encryption infected the files in the first place?

      The data in Word, Excel, PowerPoint etc is corrupted - gobble-de-gook.

      Has it 'replaced' what i typed/saved with random characters or is it tricking Word, Excel and PowerPoint to display those random characters with my files still being intact?

      I just don't understand how it has managed to overwrite them. How can the virus get into/access the root database or whatever?

      Surely there must be a way out. The hackers must be using some sort of program/algorithm to menace/muddle up the data that we typed out and saved.

  40. dan
    January 5, 2015 at 7:37 am

    @Manolis Tsif
    I have the same issue in place. We are the lucky ones - see above:
    "It’s not all good news though. There are a number of new variants of CryptoLocker that continue to circulate. Although they operate in a similar fashion to CryptoLocker, there’s no fix for them yet, other than paying the ransom."

  41. J
    January 4, 2015 at 1:09 am

    I had CTB virus and got rid of it, my files are all there but the virus added an extension for example: resume.DOCX.BPSTDQD I open it and its all these weird characters, I wanted to attach a snip it of it but cant on here

    • J
      January 7, 2015 at 3:24 pm

      I was able to restore 90%, not even sure what I did, but I did it, lol. Just have a few remaining...

    • Otto
      January 23, 2015 at 7:02 pm

      @J: would be great to share what you have done...

    • Dale
      May 13, 2015 at 6:58 pm

      Now, the hackers are alledging that if you pay the ransom you get the 'key'. This must mean that they are 'paired' to the hackers server/s?

      I mean why isn't there a simple solution such as 'Undo', 'Restore' or 'Reset'. I know there is a 'System Restore' but no good.

  42. Manolis Tsif
    December 22, 2014 at 5:08 pm

    Hi there,
    i face the same problem as John Macfarlane
    December 19, 2014, all my files , images,doc,excel,pdf looks like filename.PDF.zowrskl .

    I trief to upload to , https://www.decryptcryptolocker.com/, and i receive "File does not seem to be infected with Cryptolocker. Please load a Cryptolocker infected file’".

    Please Help me

  43. John Macfarlane
    December 19, 2014 at 8:03 am

    Church PC got hit thanks to a bogus 'Speeding Fine' email forwarded by a member. DOCX, XSLX etc files have been renamed to add .ENCRYPTED eg filename.docx.encrypted.

    So far, any file I've uploaded to Decryptolocker results in the message ' File does not seem to be infected with Cryptolocker. Please load a Cryptolocker infected file'. Files are definitely encrypted. Office tries to open them but displays the 'File Conversion' window and requests selection of the correct encoding to make the file readable (set to Western European - Windows).

    Not sure where to go from here.

    John Mac

  44. Sadia Batool
    November 25, 2014 at 5:31 pm

    Hi Mathew,
    Nice to read from your blog. I got hit with CTB locker virus and the file extensions are something like erdsmbl...I am no computer specalist and just know the amount to operate :0. But I had ALOT of research files of over 8 years, MANY family photos. I was completing some of my books, and all got infected. I didnt make a backup ...which i repent now...
    I tried the It fox and fireye site, but my file doesnt load...it says wait for file to load...but hours and hours...doesnt load...
    I would appreciate it if anyone can help me this....

    Thank you

    • Jeff Jordan
      January 17, 2015 at 7:09 am

      I have the same issue... very frustrating!

    • Dale
      May 13, 2015 at 6:34 pm

      I have experienced a similar issue - but when using IE 8.

      Check the bottom-left-hand-corner of the webpage/your browser. You may find that it says;

      "Error/Error on page/Page Error" - or words to that effect.

      I then had to re-install Firefox - but when trying to upload the files i get the following:

      "Invalid file.

      The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."

      I got infected 28/29 April 2015 - even with CryptoPrevent from FoolishIT. But i think i may have been using an outdated version, which i have since updated to v7.4.3 with the Default settings.

      Blocked Events Log

      13/05/2015 16:39:39

      TEST EVENT

      Access to C:Documents and SettingsuserApplication DataHelloWorld2.exe has been restricted by your Administrator by location with policy rule {255cdf83-818f-4853-919b-04a034beb6b2} placed on path C:Documents and SettingsuserApplication Data*.exe

      29/04/2015 09:43:47

      SUSPICIOUS APPLICATION BLOCKED

      Access to C:Documents and SettingsuserApplication Datawymvpec.exe has been restricted by your Administrator by location with policy rule {255cdf83-818f-4853-919b-04a034beb6b2} placed on path C:Documents and SettingsuserApplication Data*.exe

      28/04/2015 03:08:52

      SUSPICIOUS APPLICATION BLOCKED

      Access to C:Documents and SettingsuserApplication Datasonrqna.exe has been restricted by your Administrator by location with policy rule {255cdf83-818f-4853-919b-04a034beb6b2} placed on path C:Documents and SettingsuserApplication Data*.exe

      Dunno what any of this means...

      HelloWorld2.exe
      wymvpec.exe
      sonrqna.exe

      Answers on a postcard please.

  45. Mary Dorreen
    October 29, 2014 at 2:31 pm

    Wow. Thanks for this idea on how to recover from cryptolocker. I have been having the problem of how to remove cryptolocker in my computer. Thanks again!

  46. Tony
    September 15, 2014 at 4:53 am

    Can anyone give me a line by line literal command entry for this? I've been getting errors. I can check for the infected/encrypted files but it won't let me actually decrypt them. I'm getting errors of "Unsuccessful loading key: RSA key format is not supported" and "No Key Files were successfully loaded. Exiting." for any combination I try to load. I'm using a key from a few weeks ago but now when I submit files that are encrypted through the site I keep getting emails apologizing and saying that there isn't a key available. I haven't done anything to the infected files. Any advice? If anyone could email where they see I could be going wrong I would appreciate it. I'm at adamsan41978@yahoo.com. Thank you so much!

  47. Jason
    August 19, 2014 at 8:42 pm

    My Aunt got hit at her workplace. Shadowcopy was enabled and I was able to recover the files by the Right-Click-Properties-Previous Versions option in Windows 7.

    It came it via an email that looked like a PDF file.

    It took a couple of hours but she only lost 2 days worth of documents, easily replaced for her workflow.

    • Matthew H
      August 27, 2014 at 11:07 am

      Thanks for your comment man. It seems your aunt got lucky!

  48. Manny R
    August 16, 2014 at 12:29 pm

    Does wiped mean nuked with DBAN or such? If not, PhotoRec might still work. I tried it once and had to stop partway because it was filling a hard drive with a ton of files I didn’t even imagine existed. I was stunned given the capacity of the hard drive where they're coming from.

    • Matthew H
      August 29, 2014 at 4:05 pm

      I just used 'wiped' to mean reformatted, and reinstalled. You are quite right, although your milage may vary.

  49. Lachlan
    August 16, 2014 at 12:27 am

    Another way to get your files back if you are hit with any CryptoLocker malware is to use a program called ShadowExplorer to look into the shadow copies directories which is not hit by the malware and copy the files out onto a formatted hard drive after the actual malware has been removed from the computer using Malwarebytes Chameleon. Only works Windows Vista, & 8 though.

    Program Link: http://www.shadowexplorer.com/

    • Riley Mullins
      December 20, 2014 at 10:23 pm

      Ran this program a few months back for my girlfriend's laptop, she was getting ticked really fast. Ran SE, saved it to an external drive, installed a Samsung EVO 250 with Win7, programs, protection programs, and Office, all her documents and pictures opened with no issues.

  50. Daniel
    August 15, 2014 at 5:53 pm

    Tony, you should do a more in-depth blog post. I'd love to hear more.

    Great work, by the way.

  51. Tony
    August 15, 2014 at 5:04 pm

    Client's office got hit. They were hit with two incidences of Cryptolocker. Both timers running. It encrypted all workstations, server and the servers only attached external drive backup. The clients thought for sure that they were closing the business. They had 2 other consultants in their office for 2 1/2 days with no success.
    I got called in and within 2 days I had their office running, not great but functioning. I set up "loaner server", reconfigured their network, printers etc.
    They had to pay the fines because they didn't have access to anything. They paid the 1st one and it took the money but never sent a key. They paid the 2nd time for the other instance running. It took the money but did not issue a key. They waited a week and attempted to get the $$ back. They were lucky and got the funds back but no keys.
    We recovered some documents from 2yrs ago from an old Iomega backup image file on tape. The hardware was not working. They had no software for the tape drive and Iomega hardware is not supported anymore.
    Set up new network with win 7 Workstations and server 2012R2. Reinstalled apps, Oses, mapped drives, placed the recovered data from old backup onto the server. Well, they were missing a lot but functioning.
    Thanks to FireEye and Fox IT!!! We submitted several file samples many did not return a key but then it struck and we got a key.
    I ran the tool with the key against the server and workstations hit and it decrypted about 15% of the files and quit. Submitted more file samples and got another key!!! Apparently, it was for the other incidence that was running.
    I ran the tool again and it decrypted ALL of the files! Next I had to clean up all of the .bak files. The tool generates a new file for each file recovered. Make sure that you have room on the infected drives. I then merged all the recovered files into the correct folders on the servers data drive. I had quite a bit of cleanup due to older files merging with never ones. File compare software was a great help. We recovered over 500,000 data files. The client is ecstatic. I have gotten several calls from them thanking me for their presents. Every time they look for something "IT'S THERE!" If anyone needs help, shout out and I will do what I can for you.

    • Daniel
      August 15, 2014 at 5:53 pm

      Tony, you should do a more in-depth blog post. I'd love to hear more.

      Great work, by the way.

    • Matthew H
      August 29, 2014 at 3:50 pm

      I agree with Daniel. Awesome story. You should share it on the Tales From Tech Support subreddit, or start a blog!

  52. Jeff
    August 15, 2014 at 3:43 pm

    Client of mine got hit, DropBox, mapped drives, and external HD encrypted.
    They chose not to pay the ransom. We reloaded the computer, wiped out everything, even files on their DropBox. Called Carbonite, the folks at Carbonite put together a restore package that restored ALL files that were encrypted. It did take a while to download the files, but when it was all said and done, they were well pleased with their decision to NOT pay the ransom and got to test their contingency plan with Carbonite.

    • Matthew H
      August 29, 2014 at 3:50 pm

      That's good to hear! I've seen a lot of positivity about Carbonite in the past. Glad your client got their files back!

    • Dale
      May 13, 2015 at 7:22 pm

      Some good news. I just managed to restore some JPEG photos.

      These photos were being e-mailed to me and i had to download the zip files.

      Fortunately i had kept the original zip files [WinRAR Zip] in My Documents

      Simply locate the Zip files, double-click, then...

      Click... Extract To [Original file path where they were corrupted]

      and

      Extract and replace files [Make sure the bullet point is checked]

      Then click OK

      Hopefully this helps. It's a success story never the less.

    • sadegh
      May 19, 2015 at 7:59 pm

      my windows got hit by a ransomware which copied text file named help_restore_files
      all over my computer. and my all personal files got infected. what should I do?

Leave a Reply

Your email address will not be published. Required fields are marked *