

New Site Recovers Files Locked by Cryptolocker Ransomware - Albuca
http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cryptolocker-ransomware/

======
TeMPOraL
> _The free decryption service was made possible because Fox-IT was somehow
> able to recover the private keys..._

Part of me is _so_ hoping that they extracted those keys from the crooks using
rubber-hose cryptanalysis. There are many types of Internet scams, some more
evil than others, but this is one of the nastiest I ever heard of.

~~~
praseodym
They got a database copy:

BBC article:
[http://www.bbc.com/news/technology-28661463](http://www.bbc.com/news/technology-28661463)

Fox-IT CEO:
[https://twitter.com/cryptoron/status/496945787700805632](https://twitter.com/cryptoron/status/496945787700805632)

------
nospecinterests
I know they are doing this as a community service... because, I assume they
feel it is their honor and duty to do so... but why the hell do these guys NOT
have at least a donate link/button on their site!!!!! This is crazy. I know
they are going to get awesome press which would have normally cost thousands
but it never hurts to throw up a link and see how much your appreciated.

~~~
dan1234
Does anyone have any conversion stats for those donate buttons?

I don't think many people actually use them, especially if the traffic is
mainly curious readers sent there by mainstream press.

~~~
bitJericho
I've had sites with a fair amount of traffic, never received a donation, not
ever, not even once. Much more effective to sell a sticker than to place a
donate button. A friend of mine recently avoided my advice and replaced his
twitter feed with a donate button, he said it was a horribly stupid mistake.

------
mp4box
Relevant
[http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt...](http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt-
broken)

~~~
Scoundreller
But it sounds like in the Cryptolocker case that the encryption was pretty
good, they just (thankfully) weren't erasing the decrypt keys as promised.

The goodness of the decryptCryptolocker crew will probably make me laugh
whenever I hear some other not-half-as-good organization claim "we're the good
guys".

------
userbinator
This is interesting because it's one of those cases where _insecurity_ can
turn out to be a good thing - had those cybercriminals been more careful with
their systems and made them more secure, this may have never been possible;
but then again, the malware might not have been able to do this in the first
place if the users' systems were more secure. How that could be accomplished
is also worth considering - there is a school of thought that suggests taking
control away from the users and disallowing them from doing anything that some
entity (corporate or government) does not approve of on the assumption that
users will always make mistakes (e.g. Trusted Computing), but this also means
loss of freedom - as the saying goes, "freedom is not worth having if it does
not include the freedom to make mistakes."

However, if on the other hand we allow the users freedom, and thus assume that
mistakes (such as being infected with malware like this) will happen, then it
makes sense that a means of recovery should be available, which is not
something that "perfect" security allows. To use an analogy, people who have
lost their keys or had them stolen should still be able to gain access to
their house. In the physical world, perfect security is nearly impossible, but
with digital data, it's not. Locking an item in a safe means it can still be
retrieved if the key is lost by, in the worst possible circumstance, cutting
open the safe, no matter how physically strong it is. Encrypting data with a
long-enough key and sufficiently strong algorithm means it's truly practically
_destroyed_ without the key. I think this point - that encryption can be
really, really, _really_ unrecoverably strong - needs to be made more aware as
we continue to use more of it.

It would be particularly ironic if this recovery was made possible through
exploiting the malware servers with something like Heartbleed...

~~~
kijin
> _it 's one of those cases where insecurity can turn out to be a good thing_

Well, it's usually a good thing when the bad guys make a mistake, isn't it?
"Oh, I wanted to blow up this building, but I set my timer to the wrong time
zone." Oops, now the police has an extra hour to evacuate the building and
dismantle your bomb.

What matters is: Good for whom? Obviously, insecure tools are not good for the
person who relies on it for mission-critical tasks. But what is good for that
particular person and that particular task might not be good for other people
and other tasks.

Since "good" is relative, "perfect security" is also relative. Perfect
security for whom? And what do we mean by "security", anyway? Let's say we
think of security as the ability of a system to resist interference from
anybody other than its legitimate user(s). But then the question becomes, who
are the legitimate users?

If Apple is the sole legitimate user of a device, it makes sense for that
device to resist your attempts to interfere with its Apple-approved functions.
That's perfect security for Apple, perfect security for Steve Jobs's
posthumous ego.

If you are the sole legitimate user, on the other hand, the device should
resist Apple's attempts to tell you what you can or can't do with it. That's
perfect security for you, but it comes at the expense of perfect security from
the point of view of Apple designers.

As for CryptoLocker, the whole purpose of that program is grossly immoral, so
does it even have a legitimate user?

Unfortunately, it is becoming increasingly clear that perfect security for one
party does not always align with perfect security for some other party.

~~~
derefr
You're listing the clear, black-and-white cases.

The interesting case is: if I am the sole legitimate user of the device,
should my device resist my attempts to run
cat_pictures_infected_with_cryptolocker.jpg.exe?

~~~
kijin
> _if I am the sole legitimate user of the device..._

On the flip side, if your device resists your attempts to run
cat_pictures_infected_with_cryptolocker.jpg.exe, it is clear that somebody
else has some degree of control over the behavior of your device, and this
somebody does not consider you to be the sole legitimate controller of your
device.

Who is this somebody, and what right does he/she/they have to retain partial
control of your property? That sounds like a more interesting question to me.
Because unless you're like RMS and only use free software on open-source
hardware, you're never the sole legitimate controller of any device these
days.

~~~
Kliment
How about if said somebody is a less tired, more sober, more attentive and
less stressed me?

~~~
kijin
If you wrote a program to restrain your own careless self, or installed
someone else's program with the expectation that it will restrain you, then I
suppose everything's kosher. We're all consenting adults, right?

Things get more complicated when a stranger decides to tell you what you can
or can't do, without your consent, against your expectations, and sometimes
even in spite of your loud complaints.

------
RAB1138
Relevant: Neil Stephenson's Reamde takes the principle of Ransomware and plays
it out to a fun conclusion. This site would have come in handy. Highly
recommended [http://www.audible.com/pd/Sci-Fi-Fantasy/Reamde-
Audiobook/B0...](http://www.audible.com/pd/Sci-Fi-Fantasy/Reamde-
Audiobook/B005PMU12U?bp_ua=y)

------
aresant
Key from one of the comments "It’s not too late if you still have the
encrypted files, as I suspect many people do, hoping that someday a program
like this would come along."

That is awesome. I'm sure a large percentage of people with irreplaceable
files hung onto them, hope these guys get the exposure they deserve for the
site.

#1 on HN is a good start.

~~~
Eiriksmal
+1. One lady in my office (running 1/4 Windows PCs) opened something from
"Intuit" concerning a bill and got most of her documents locked down... and
some of the shared files on the company's main NFS drive before I unplugged
the box's ethernet cord. Oops.

She kept her files hanging around, just in case someone broke the encryption
later on. A smart move from someone foolish enough to open a ".pdf.exe" file
from an email reeking of fraud.

------
gordon_freeman
I just hope as many people as possible who were affected by this lockdown and
who have not paid ransom yet would know about this. As per the Krebs' article
only 1.3% paid ransom so it's not too late.

------
timsayshey
Has anyone here looked at the software? It requires you to manually run a
command from the command prompt for every file. Decryptolocker.exe --key
"<key>" <Lockedfile>

If I have thousands of files, that will take forever, anyway to batch decrypt?

~~~
0x0
The faq mentions an "-r" parameter :)

~~~
timsayshey
Perfect, I have the recursive part working, but I can't get the key pasted in
the command prompt.

Decryptolocker.exe --key "<key>" <Lockedfile>

Everytime I paste the key in, the command prompt executes each line. Any ideas
how to preserve the line breaks?

~~~
0x0
Put the command in a .bat file with notepad and run that in the cmd window?

~~~
timsayshey
Nevermind, I put everything on one line and it fixed it. Thanks!

------
xxxmadraxxx
Of course, the conspiracy theorist might say that it's a bit _too_ convenient
to suppose the hitherto extremely clever criminals helpfully and stupidly
copied their private keys across to computers controlled by 'the feds'. A bit
like those supposedly 'random' police stopping of vehicles which turn out to
be full of drugs or explosives.

Maybe public/private key pairs aren't as secure as we've been lead to believe.

~~~
MasterScrat
Or maybe they got their hands on the keys some other way they're not willing
to disclose.

~~~
enneff
It is likely that they were able to compromise the bad guys' systems and steal
the private keys, which in itself is against the law.

~~~
obitoo
Technically yes, but in practice only if the bad guys file charges and/or
assist the authorities with evidence, ie their machines.

