CryptoLocker Decryption Engine

CryptoLocker Technical Details

CryptoLocker is the latest ransomware Trojan that targets computers running Microsoft Windows. CryptoLocker is typically received as an email attachment containing a malicious executable. Once launched, it contacts a command & control server which generates a unique RSA-2048 public/private key pair. The private key is retained on the remote server; the public key is sent to the victim machine. CryptoLocker then recursively finds all document files and encrypts them.

More technical information on the network communication protocol and encryption process can be found at the Emsisoft Blog entry about CryptoLocker. An excellent up-to-date overview of CryptoLocker can be found at BleepingComputer's CryptoLocker information page.

Assuming you pay the ransom to get the private key, you then have to use that key via an .exe provided by the very people who just held your files for ransom.

CryptoLocker Encrypted File Format

Kyrus has reverse engineered the CryptoLocker application to determine how the CryptoLocker file format works and build an open-source decryption engine. The decryption engine only works if you have the private key. Given the encryption algorithms in use by CryptoLocker, there is no known way to recover the private key without paying the ransom.

Each file encrypted by CryptoLocker is encrypted with a unique AES-256 key. The unique symmetric key is then encrypted with the public RSA-2048 key unique to the infected host. Therefore, the only way to decrypt files encrypted with CryptoLocker is to obtain the private RSA-2048 key.

The file format for an encrypted file is as follows:

Offset Length Description
0x00 0x14 SHA1 hash of '\x00'*4 followed by the next 0x100 bytes (the "file header")
0x14 0x100 File header containing the AES key encrypted with RSA-2048 with PKCS#1 v1.5 padding
0x100 remainder File contents encrypted with above AES key

Once the file header is decrypted, The CryptImportKey Win32 CryptoAPI function is used to interpret a Microsoft PUBLICKEYSTRUC structure. The format of the PUBLICKEYSTRUC structure is:

typedef struct _PUBLICKEYSTRUC {
  BYTE   bType;
  BYTE   bVersion;
  WORD   reserved;
  ALG_ID aiKeyAlg;
} BLOBHEADER, PUBLICKEYSTRUC;

For CryptoLocker, the following values are used:

Field Value
bType 8 (PLAINTEXTKEYBLOB)
bVersion 2
reserved 0
aiKeyAlg 0x6610 (CALG_AES_256)

CryptoLocker Decrypter & Identification

Given the above file format, Kyrus has developed a CryptoLocker identification and decryption tool in Python. The tool can identify CryptoLocker files on a local disk and optionally decrypt them given the private key material.

The Python script is available on GitHub.

Usage


usage: CryptoUnLocker.py [-h] (--keyfile KEYFILE | --keydir KEYDIR) [-r] [-v]
                         [--dry-run] [--detect] [-o DESTDIR]
                         encrypted_filenames [encrypted_filenames ...]

Decrypt CryptoLocker encrypted files.

positional arguments:
  encrypted_filenames

optional arguments:
  -h, --help           show this help message and exit
  --keyfile KEYFILE    File containing the private key, or the EXE file
                       provided for decryption
  --keydir KEYDIR      Directory containing any number of private keys; the
                       appropriate private key will be used during the
                       decryption process
  -r                   Recursively search subdirectories
  -v                   Verbose output
  --dry-run            Don't actually write decrypted files
  --detect             Don't try to decrypt; just find files that may be
                       CryptoLockered
  -o DESTDIR           Copy all decrypted files to an output directory,
                       mirroring the source path