by , Blog, 15 Comments

Nov 12

CryptoLocker Decryption Engine

by Mike Tanji, Blog, 15 Comments

Nov 12

CryptoLocker Technical Details

CryptoLocker is the latest ransomware Trojan that targets computers running Microsoft Windows. CryptoLocker is typically received as an email attachment containing a malicious executable. Once launched, it contacts a command & control server which generates a unique RSA-2048 public/private key pair. The private key is retained on the remote server; the public key is sent to the victim machine. CryptoLocker then recursively finds all document files and encrypts them.

More technical information on the network communication protocol and encryption process can be found at the Emsisoft Blog entry about CryptoLocker. An excellent up-to-date overview of CryptoLocker can be found at BleepingComputer’s CryptoLocker information page.

Assuming you pay the ransom to get the private key, you then have to use that key via an .exe provided by the very people who just held your files for ransom.

CryptoLocker Encrypted File Format

Kyrus has reverse engineered the CryptoLocker application to determine how the CryptoLocker file format works and build an open-source decryption engine. The decryption engine only works if you have the private key. Given the encryption algorithms in use by CryptoLocker, there is no known way to recover the private key without paying the ransom.

Each file encrypted by CryptoLocker is encrypted with a unique AES-256 key. The unique symmetric key is then encrypted with the public RSA-2048 key unique to the infected host. Therefore, the only way to decrypt files encrypted with CryptoLocker is to obtain the private RSA-2048 key.

The file format for an encrypted file is as follows:

Offset Length Description
0x00 0x14 SHA1 hash of ‘\x00’*4 followed by the next 0x100 bytes (the “file header”)
0x14 0x100 File header containing the AES key encrypted with RSA-2048 with PKCS#1 v1.5 padding
0x100 remainder File contents encrypted with above AES key

Once the file header is decrypted, The CryptImportKey Win32 CryptoAPI function is used to interpret a Microsoft PUBLICKEYSTRUC structure. The format of the PUBLICKEYSTRUC structure is:

typedef struct _PUBLICKEYSTRUC {
  BYTE   bType;
  BYTE   bVersion;
  WORD   reserved;
  ALG_ID aiKeyAlg;

For CryptoLocker, the following values are used:

Field Value
bVersion 2
reserved 0
aiKeyAlg 0x6610 (CALG_AES_256)

CryptoLocker Decrypter & Identification

Given the above file format, Kyrus has developed a CryptoLocker identification and decryption tool in Python. The tool can identify CryptoLocker files on a local disk and optionally decrypt them given the private key material.

The Python script is available on GitHub.


usage: [-h] (--keyfile KEYFILE | --keydir KEYDIR) [-r] [-v]
                         [--dry-run] [--detect] [-o DESTDIR]
                         encrypted_filenames [encrypted_filenames ...]

Decrypt CryptoLocker encrypted files.

positional arguments:

optional arguments:
  -h, --help           show this help message and exit
  --keyfile KEYFILE    File containing the private key, or the EXE file
                       provided for decryption
  --keydir KEYDIR      Directory containing any number of private keys; the
                       appropriate private key will be used during the
                       decryption process
  -r                   Recursively search subdirectories
  -v                   Verbose output
  --dry-run            Don't actually write decrypted files
  --detect             Don't try to decrypt; just find files that may be
  -o DESTDIR           Copy all decrypted files to an output directory,
                       mirroring the source path
Tags: , , ,


    1. Moses
      November 15, 2013 at 01:56

      This is ironic. I was doing exactly the same thing to help a friend of mine. I’ve never done anything in cryptography before, but my friends business was hit by this and he asked me if I could help and I can program. I studied the virus, how it edits files, made educated guesses as to what the header data is, looked up whatever data i could that would help, and actually wrote my program in python as well. I’m quite shocked at the coincidence lol.

      I figured the header contained a hash so it could tell if a file was encrypted or not and after editing any of the first 276 bytes i realized i was right, but I decided it wasn’t necessary for decrypting so I didn’t bother with it. I’ve got some files decrypted for my friend and sent for him to review in the morning. I had a feeling while I was writing it that someone would beat me to the punch, but I didn’t expect it to also be a python script released only 2 days before I finished mine. This made my night lol.

      • Flukefarm
        December 13, 2013 at 14:12

        Did your friend pay the ransom to get the private key?

        How did you decrypt if they didn’t pay the ransom?

    2. Dan
      November 28, 2013 at 00:24

      Is it possible that someone will come up with a way to easily decrypt these files? Should I save them? I have a lot of valuable family photos and work files that gone. I can’t bring myself to delete them and there’s no way I’m paying a ransom.

      • Adam
        December 17, 2013 at 23:39

        @Dan, if you need your encrypted files asap, obtaining the private key from the criminals is likely going to be the fastest solution. While AES and RSA are considered relatively unbreakable today, this could change in the future. If I were in your position, I would hang on to the encrypted files.

    3. Pingback: What is Cryptolocker and how to protect yourself – Dr. Chaos

    4. Pingback: What is Cryptolocker and how to protect yourself | . . TheSecurityBlogger . . .

    5. Adam
      December 17, 2013 at 23:36

      Thanks for posting these details. I was curious as to where Cryptolocker was storing the encrypted AES key and this was the first site I found that provided specifics.

    6. Pingback: The Official Secugenius Blog - Site Home - Secugenius Blog

    7. Patrick
      January 22, 2014 at 15:47

      So if I read this post correctly, someone who was infected by the Cryptolocker virus would have to purchase the key from the virus author in order to use this tool?

    8. Pingback: CryptoLocker ransomware intelligence report | Fox-IT International blog

    9. Pingback: Free service gives decryption keys to Cryptolocker victims | Nagg

    10. Pingback: CryptoLocker ransomware intelligence report | e-Shielder Security

    11. Pingback: Documents Become Corrupt or Encrypted on the Network Due to CryptoLocker or CryptoWall Malware | Worldox Knowledgebase

    12. Pingback: Les ransomwares, explications et contre-mesures – Le Blog du Hacker

    Leave a Reply