Individuals impacted by the widely pervasive CryptoLocker ransomware have previously had only two real choices when they discovered that files had been encrypted: either pay the attackers behind the ransomware to recover the files, or accept that whatever was encrypted had been lost forever. Now though, researchers have released a new website that gives victims the ability to decrypt CryptoLocker files for free.
Though ransomware is far from new, CryptoLocker made waves immediately after being discovered in September 2013, particularly because it was one of the first ransomware variants to ever implement commercial-grade encryption correctly. Unlike other ransomware examples, CryptoLocker's authors also took the novel approach of actually providing a method for decrypting files once they had received a payment from victims, which typically fell in the range of $300. That combination led CryptoLocker to infect more than 200,000 computers worldwide, and for its authors to rake in more than $27 million in ransom payments.
Now, decryptcryptolocker.com -- the result of a partnership between FireEye Inc. and Fox-IT -- aims to provide assistance to the remaining victims of CryptoLocker following Operation Tovar, the international law enforcement operation that took down CryptoLocker's sole distribution infrastructure, GameOver Zeus.
To use the site, victims need to upload a CryptoLocker-encrypted file containing non-sensitive information to the Web portal. The portal will then send along a private key and a link to download and install a local decryption tool, which combined, should allow victims to decrypt their files. The CryptoLocker keys were apparently obtained through a combination of reverse engineering and partnerships, according to a FireEye blog post, but no further elaboration has been provided by either firm.
"Operation Tovar made a clear impact on the distribution of and infection of machines by CryptoLocker. However, there have been no known avenues available designed to help users get their encrypted files back without making significant payments to those responsible for infecting machines in the first place," said FireEye researchers Kyle Wilhoit and Uttang Dawda. "While the remediation of infected machines can be somewhat difficult, hopefully with the help of https://www.decryptCryptoLocker.com and Decryptolocker.exe, we can help you get back some of the valuable files that may still be encrypted."
While this site may allow users to recover files once thought to be irretrievable, FireEye's researchers warned that it won't necessarily save future ransomware victims. That's because there are numerous ransomware variants like CryptoDefense -- along with an increasing number of CryptoLocker copycats like CryptoWall-- that may differ enough in terms of coding and functionality to break the decryption process, or may not actually encrypt files at all.
With that in mind, FireEye said that the best deterrent against ransomware attacks is still to ensure regular data backups.
"Ideally, this would be done in at least two locations: One would be on premises (such as an external hard drive), and the other would be off premises (such as cloud storage)," Wilhoit and Dawda advised.
For more on CryptoLocker and ransomware, resident threat expert Nick Lewis explains why ransomware prevention is a losing battle, while expert Mike Chapple details how to battle ransomware variants with advanced encryption algorithms.