Retrieve Encrypted Files from a CryptoLocker Infection

CryptoLocker is a file-encrypting ransomware, and when it infects your machine, it encrypts the contents of the hard drive using RSA-2048 key, before demanding payment to decrypt the data. Unfortunately, data recovery can be next to impossible without the key. 

Malware that encrypts your data and then demands a ransom to decrypt it isn’t a new thing by any means; one of the earliest examples of malware written with the sole aim of making money was the AIDS Information Trojan of 1989. 90 days after infection, the data on the infected machine’s hard drive would be scrambled, and a ransom of $378 demanded, to be sent to an address in Panama. Fortunately, the malware was poorly made, scrambling the data in the same way on every machine it affected; free data recovery tools to quickly remove the malware was soon released.

Unfortunately, the perpetrator behind the CryptoLocker ransomware hasn’t been so careless. The malware is distributed via spam emails which contain infected attachments or links. Often, cyber-criminals forge email header information, making the email look legitimate. By passing of as, say, your bank or a shipping company, and tricking you into clicking a link or attachment, the ransomware has infected your computer.

The CryptoLocker ransomware targets all versions of Windows, including Windows 7, 8 and 10. The malware is particularly troublesome because it uses AES-265 and RSA encryption method, which means the user has no choice but to purchase the private key to decrypt their data. When the ransomware is first installed, it creates a randomly named executable file in the AppData folder. The executable will be launched, and it will begin to scan the drives connected to your machine for files to encrypt. The ransomware specifically searches for certain file extensions to cause the most damage, typically ones crucial to productivity like .doc, .docx, .pdf and .xls, but also media files like .mp4, .mp3, .avi and .m4a. Each file will then be encrypted and changed to the .CryptoLocker format.

Once the files on your hard drive are encrypted, CryptoLocker will create a .txt file with a ransom note in each folder where encrypted files are stored. In these text files will be instructions on how to decrypt your files, which will typically cost you $1300, or 2.05 Bitcoins, including a link to the payment site. It isn’t possible to decrypt your hard drive’s files without this encryption key, because of the AES-265 and RSA encryption method. So what can you do to get your files back?

Well, you have several options. Brute forcing the decryption key isn’t realistic, due to the amount of time required to break an AES encryption key. The easiest thing to do is restore your files and folders from a backup, which you should always keep. Many people, however, don’t. To add to this problem, as many people keep their backup drive connected to their machine constantly, the CryptoLocker program may have infected that, too.

If you don’t have a working backup of your data, it may be possible to recover previous versions of the encrypted files via their shadow copies. Shadow copies are created by Windows as snapshots to be reverted to in the event of a System Restore. To see if you can use shadow copies to restore a file, right click on it, and select ‘properties’. In the properties window, select the ‘previous versions’ tab. You will then see a list of all the previous versions of the file, and can restore the most recent. To restore these files in bulk, you can perform a System Restore to take your machine back to a point before the infection.

data recovery