CryptoLocker Decryption Engine

CryptoLocker Technical Details

CryptoLocker is the latest ransomware Trojan that targets computers running Microsoft Windows. CryptoLocker is typically received as an email attachment containing a malicious executable. Once launched, it contacts a command & control server which generates a unique RSA-2048 public/private key pair. The private key is retained on the remote server; the public key is sent to the victim machine. CryptoLocker then recursively finds all document files and encrypts them.

More technical information on the network communication protocol and encryption process can be found at the Emsisoft Blog entry about CryptoLocker. An excellent up-to-date overview of CryptoLocker can be found at BleepingComputer’s CryptoLocker information page.

Assuming you pay the ransom to get the private key, you then have to use that key via an .exe provided by the very people who just held your files for ransom.

CryptoLocker Encrypted File Format

Kyrus has reverse engineered the CryptoLocker application to determine how the CryptoLocker file format works and build an open-source decryption engine. The decryption engine only works if you have the private key. Given the encryption algorithms in use by CryptoLocker, there is no known way to recover the private key without paying the ransom.

Each file encrypted by CryptoLocker is encrypted with a unique AES-256 key. The unique symmetric key is then encrypted with the public RSA-2048 key unique to the infected host. Therefore, the only way to decrypt files encrypted with CryptoLocker is to obtain the private RSA-2048 key.

The file format for an encrypted file is as follows:

Offset Length Description
0×00 0×14 SHA1 hash of ‘\x00′*4 followed by the next 0×100 bytes (the “file header”)
0×14 0×100 File header containing the AES key encrypted with RSA-2048 with PKCS#1 v1.5 padding
0×100 remainder File contents encrypted with above AES key

Once the file header is decrypted, The CryptImportKey Win32 CryptoAPI function is used to interpret a Microsoft PUBLICKEYSTRUC structure. The format of the PUBLICKEYSTRUC structure is:

typedef struct _PUBLICKEYSTRUC {
  BYTE   bType;
  BYTE   bVersion;
  WORD   reserved;
  ALG_ID aiKeyAlg;
} BLOBHEADER, PUBLICKEYSTRUC;

For CryptoLocker, the following values are used:

Field Value
bType 8 (PLAINTEXTKEYBLOB)
bVersion 2
reserved 0
aiKeyAlg 0×6610 (CALG_AES_256)

CryptoLocker Decrypter & Identification

Given the above file format, Kyrus has developed a CryptoLocker identification and decryption tool in Python. The tool can identify CryptoLocker files on a local disk and optionally decrypt them given the private key material.

The Python script is available on GitHub.

Usage


usage: CryptoUnLocker.py [-h] (--keyfile KEYFILE | --keydir KEYDIR) [-r] [-v]
                         [--dry-run] [--detect] [-o DESTDIR]
                         encrypted_filenames [encrypted_filenames ...]

Decrypt CryptoLocker encrypted files.

positional arguments:
  encrypted_filenames

optional arguments:
  -h, --help           show this help message and exit
  --keyfile KEYFILE    File containing the private key, or the EXE file
                       provided for decryption
  --keydir KEYDIR      Directory containing any number of private keys; the
                       appropriate private key will be used during the
                       decryption process
  -r                   Recursively search subdirectories
  -v                   Verbose output
  --dry-run            Don't actually write decrypted files
  --detect             Don't try to decrypt; just find files that may be
                       CryptoLockered
  -o DESTDIR           Copy all decrypted files to an output directory,
                       mirroring the source path

12 Responses to “CryptoLocker Decryption Engine”

  1. Moses

    This is ironic. I was doing exactly the same thing to help a friend of mine. I’ve never done anything in cryptography before, but my friends business was hit by this and he asked me if I could help and I can program. I studied the virus, how it edits files, made educated guesses as to what the header data is, looked up whatever data i could that would help, and actually wrote my program in python as well. I’m quite shocked at the coincidence lol.

    I figured the header contained a hash so it could tell if a file was encrypted or not and after editing any of the first 276 bytes i realized i was right, but I decided it wasn’t necessary for decrypting so I didn’t bother with it. I’ve got some files decrypted for my friend and sent for him to review in the morning. I had a feeling while I was writing it that someone would beat me to the punch, but I didn’t expect it to also be a python script released only 2 days before I finished mine. This made my night lol.

    Reply
    • Flukefarm

      Did your friend pay the ransom to get the private key?

      How did you decrypt if they didn’t pay the ransom?

      Reply
  2. Dan

    Is it possible that someone will come up with a way to easily decrypt these files? Should I save them? I have a lot of valuable family photos and work files that gone. I can’t bring myself to delete them and there’s no way I’m paying a ransom.

    Reply
    • Adam

      @Dan, if you need your encrypted files asap, obtaining the private key from the criminals is likely going to be the fastest solution. While AES and RSA are considered relatively unbreakable today, this could change in the future. If I were in your position, I would hang on to the encrypted files.

      Reply
  3. What is Cryptolocker and how to protect yourself – Dr. Chaos

    […] Tech has developed a 3rd party decryption engine for Cryptolocker.  http://www.kyrus-tech.com/cryptolocker-decryption-engine/ You will still need to pay the ransom to get your private key. However, now if the decryption does […]

    Reply
  4. What is Cryptolocker and how to protect yourself | . . TheSecurityBlogger . . .

    […] Tech has developed a 3rd party decryption engine for Cryptolocker.  http://www.kyrus-tech.com/cryptolocker-decryption-engine/ You will still need to pay the ransom to get your private key. However, now if the decryption does […]

    Reply
  5. Adam

    Thanks for posting these details. I was curious as to where Cryptolocker was storing the encrypted AES key and this was the first site I found that provided specifics.

    Reply
  6. The Official Secugenius Blog - Site Home - Secugenius Blog

    […] Tech has developed a 3rd party decryption engine for Cryptolocker.  http://www.kyrus-tech.com/cryptolocker-decryption-engine/ You will still need to pay the ransom to get your private key. However, now if the decryption does […]

    Reply
  7. Patrick

    So if I read this post correctly, someone who was infected by the Cryptolocker virus would have to purchase the key from the virus author in order to use this tool?

    Reply
    • Mike Tanji

      Unfortunately, yes. There is no other option.

      Reply
  8. CryptoLocker ransomware intelligence report | Fox-IT International blog

    […] big thank you to Kyrus tech for their tool Cryptounlocker. And finally we wish to thank Surfright for their assistance by providing encrypted files they […]

    Reply
  9. Free service gives decryption keys to Cryptolocker victims | Nagg

    […] How do they perform this feat? The basic research seems to have been done by Kyrus Tech[5]. […]

    Reply

Leave a Reply


8 − one =