White-Hat Hackers Create A Service To Save Files Hacked By CryptoLocker Malware

CryptoLocker is some nasty stuff. It is a type of malware that, when run, begins encrypting your entire disk and then requests a certain fraction of a bitcoin to decrypt it. The software began circulated in 2013 and researchers believe that the number of victims is well in the six figures at this point.

According to Brian Krebs, security companies FireEye and Fox-IT have teamed up to offer Decryptcryptolocker.com, a free service that decrypts files encrypted by CryptoLocker. To use it, you must send one encrypted file and your email address through the service. It then decrypts the files using “master keys” acquired by the security firms and creates an app that will automatically decrypt the rest of your files. Interestingly, many users may be encrypted multiple times and so they may have to decrypt their files until everything has been saved.
Screen Shot 2014-08-07 at 7.48.42 AM

This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.

Many of the CryptoLocker infection vectors were torn down in June when Operation Tovar shut down the Gameover Zeus botnet. However, there are still a number of Windows machines infected. There are also variants of the CryptoLocker malware that aren’t covered by this software.

The teams at FireEye and Fox-IT were obviously reticent to disclose how they grabbed the master keys to CryptoLocker. However, it’s good to know that victims can now escape the hell that is ransomware.