Pentest Tools

Published on June 10th, 2015 📆 | 3723 Views ⚑

0

Cryptolocker Malware Decrypter


https://www.ispeech.org/text.to.speech
Locker is probably one of the worst malware “in-the-wild” today. It is a variant of Cryptolocker family of malware, and so called ransomware, which encrypts victim’s important files (such as photos and documents) based on file extension.

On May 30th,

The document describes the format used in the encrypted files so that one can decrypt the files, assuming that the encryption key is known.

Also a

containing all the RSA-keypairs and bitcoin addresses for ransom payments was posted on Mega

[adsense size='1']

Dependencies

This tool requires Python 2 (tested with 2.7, Python 3 does not work as someone would need to port the rijndael.py).

  • untangle
  • pycrypto

 

How to decrypt files ?

First you have to dig either RSA public key or Bitcoin address from vitcim’s computer. The files containing relevant information typically reside in C:\ProgramData\rkcl directory.

  • data.aa0 – Contains list of encrypted files
  • data.aa6 – Contains the bitcoin address
  • data.aa7 – Contains the public key

 





Use either RSA public key or Bitcoin address to find the private key from the csv-file referred above and to save it to file private_key.xml:

grep [BITCOIN ADDRESS HERE] database_dump.csv | sed -e 's/.*,.*,//g' > private_key.xml

Then run the tool in a directory where you want to decrypt your files:

lockerdecrypter.py <private_key.xml> <directory_to_decrypt>

The tool automatically tries to determine which of the files were actually encrypted and which were not.

[adsense size='1']

Cryptolocker Malware Decrypter on GitHub

git clone https://github.com/mikatammi/locker_decrypter.git

 

 

Source && Download

Tagged with:



Comments are closed.