1

Today one of our PCs got infected with nasty CryptoLocker trojan crap. The PC was a Windows XP machine with up-to-date NOD32 a/v. As you probably know the virus encrypts your file with an 2048 bit RSA public key and only the bad guy has the private key. So... they ask for 1.16 BTC or 500 EUR as a ransom via TOR.

I glanced through google results I saw some of the resources mentioning that it encrypts the files and then deletes the original ones. So, is it possible to recover those deleted files using some recovery tools like "Recuva"? Maybe some Linux magic? Or have they thought of that too and the data loss is permanent?

Some of the search results say, that they could have left the private key behind in %appdata% folder or that kind of stuff, though I seriously doubt it :)

Please share your experience if you had that happen to you and you managed to recover or if you have any suggestions. Any help is appreciated!

PS. I can't physically access the machine as of right now as it didn't get shipped from branch office yet, so can't really try anything. Just want to prepare for the good or the bad.

Ashtray
  • 1,669
  • 2
  • 15
  • 19
  • 1
    There is nothing you can do. Your security has failed you.You can either pay the ransom or recover from a backup.The method used to encrypt your data is sound there are no holes in the method.**The files were not deleted they were encrypted and after doing so the key was uploaded and deleted**Your lucky this computer was not connected to the network otherwise it would have encrypted every network drive it saw. **What you need is the private key to decrypt the data and that only happens if you pay the random** Of course you only have a lim window of time, I hope you have bkups, u will ned them. – Ramhound May 14 '14 at 12:44
  • You can post it as an answer :) Thanks! Yeah, we screwed up pretty badly, but it could have been worse. At least there was nothing too important there or there was a backup on a file server. – Ashtray May 14 '14 at 12:50
  • There are already Cryptolocker questions [here at Superuser](http://superuser.com/questions/723600/excel-word-pdf-files-got-encrypted-by-ransomware/723642#723642). – Ramhound May 14 '14 at 12:52

0 Answers0