Decrypting Cryptolocker Files

For those organizations that were hit by Cryptolocker, there is a means to recover your files now.  FireEye and Fox IT are hosting a site to help decrypt those files.   The site asks for an encrypted file to be sent, and then it will return the key to decrypt it.  I am often a skeptical person, but this is truly a cool thing to do.  The information was there, but making a bridge for the layman was needed.

Screenshot 2014-08-20 08.11.11

This site is not hacking the files or breaking the crypto.  There is no magic key to brute to break this encryption.  Through a combination of corporate efforts, grassroots working groups and law enforcement led to the “Court orders last month (June, which) allowed authorities to seize the servers that issued commands to Gameover Zeus and Cryptolocker   After which, almost every country is on the lookout for the Evgeniy Bogachev, the organizer of this racketing and ransom activity.


This takedown is known as Operation Tovar.  Strangely, FireEye and Fox IT are not involved. Instead the companies listed are: CrowdStrike, Dell SecureWorks, Symantec, Trend Micro and McAfee.

What makes this story interesting is what happened to the infrastructure of the Game Over Zeus and those servers that housed all those keys.  The command and control of Game Over is now offline, but a third of the 400,000 systems are still infected. 

And what of those drives with all those keys?  That data is what FireEye and Fox-IT are using to give you the key back to your files.  So, there is no magic here, this is just a database lookup.  But a database lookup that most people would not have the access to do.

As Hancock would say, “Good job.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: