help, cryptolocker, I have no options other than to decrypt

[provoko]

So basically my brother go infected by cryptolocker and he got infected, so his files are encypted. Ransom won't work, decrypt server is toast, this is a virus out of control.

Seems like it's also impossible to decrypt once you're infected. But I was thinking, I'll take that challenge. I have a super fast computer: 32 thread, 64gb machine w/ GTX 660 Ti w/ 1344 cuda cores.

If I gotta be the first person to decrypt, fine, i'll be the first.

I'm going to get the public key from the Windows registry, if it's still there, here, I think:
HKCU\Software\CryptoLocker, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Cryptolocker, others?

If I have no public key to crack......... can I generate enough public and private keys to crack a file at random? I was reading this is encypted using RSA...... again, think of the power of my computer! =) If i gotta rent space on AWS, FINE I will.

I'm gonna use an ubuntu CD to copy his personal files, including the encrypted files; hopefully not all his files are encrypted...

 

[Red Squirrel]

I doubt these programs actually DO encrypt the data, they probably scramble it in a way that's not reversible or literally just replace them with junk. They just want gullible people to pay thinking they'll get their data back, but when they do pay, they're still not getting their data back. At least that's my guess.

Consider it deleted, and start restoring from a backup after clean installing the machine.

 

[provoko]

I doubt these programs actually DO encrypt the data, they probably scramble it in a way that's not reversible or literally just replace them with junk. They just want gullible people to pay thinking they'll get their data back, but when they do pay, they're still not getting their data back. At least that's my guess.

I had the same guess, I was definitely mistaken:
http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/

 

[Red Squirrel]

Ha that is interesting. I did not figure a virus writer would go to those lengths.

This also shows the importance of offline backups, it looks like this will even do mapped drives. Pretty nasty.

 

[k1pp3r]

Oh yeah, this one is fun. I have had it fully encrypt a network share when a users PC got infected with it.

This is pure nasty and we have not been able to recover from it without restoring from a backup.

 

[Blue Fox]

You're never going to break a 2048 bit key no matter how much computing power you have access to unfortunately. If you can't pay the ransom and don't have backups, the data is gone forever.

 

[Blackjack]

Unless you have some really good friends at the NSA, you're better off hiring a monkey to randomly type 1's and 0's until it happens to reproduce the files that were encrypted. Restoring from backup is the only option that wont take upwards of 5 million years. And if you don't have a backup well...lesson learned.

 

[/usr/home]

Wow that's a nasty little infection...

 

[mngl1500]

Updates, backups and software policies to not let software run in appdata.

Otherwise kiss you data goodbye.

 

[Brak710]

This is a real encryption put on the files, and with current technology (and foreseeable future technology)... it's irreversible other than having that private key to decrypt.

Not even the NSA x 100 could figure out how to get your documents back.

 

[Red Squirrel]

Not even the NSA x 100 could figure out how to get your documents back.

That's what they want us to think. I'm sure they have ways that probably don't involve brute force, or simply enough computing power for brute force to work anyway. Of course you can't just show up at their office with a laptop and ask them to decrypt it for you.

 

[dave99]

rename your important files to "jihadplot1againsttheinfidels.doc", maybe the NSA will decrypt for you..

 

[dave99]

This virus should be a wakeup call for everyone, you've got to have multiple copies of your critical data, including offsite, and HAS to have versioning features. Otherwise if you aren't paying attention, encrypted files with just transmit to your offsite backup and overwrite the good ones. This has made me go through all my stuff, and more importantly my clients servers. Make sure shadow copies are configured and running correctly on the servers that host the shared drives. Make sure backups (on and offsite) are running, and you are keeping multiple backups. Makes me glad for ZFS and it's snapshotting capabilities (what I use to host my clients offsites).

reddit thread with all sorts of valuable info:
http://www.reddit.com/r/sysadmin/comments/1p32lx/cryptolocker_recap_a_new_guide_to_the_bleepingest/

 

[Blue Fox]

Hah, no. No one is cracking anything. Since I have nothing better to do, here are some fun statistics. The most complex RSA number that has been factored is 768 bit as far as I'm aware. It was done on a sizeable cluster of servers. The group behind it estimated that a single node would have taken 55 years to factor it. These were Opteron 148s and my estimates put them at 4 gigaflops. A 1024 bit number takes about 1024 times the computing time to factor compared to a 768 bit one and a 2048 one about 4.3 billion times that of a 1024 bit one. So, we're looking at 4.4 trillion times the time or 242 trillion years for our poor Opteron 148.

Now to put that all in perspective, the current top supercomputer in the world is Tianhe-2 with about 34 petaflops of computing power. 34 petaflops is a 8.5 million of our Opterons. However, if things scaled linearly, that's still 28.5 million years...should you somehow persuade the Chinese. Now of course this is all assuming things scale up, but even if I'm off by a factor of say, 10000, that really doesn't change anything.