If you want to decrypt the cryptolocker virus then you might want to think twice. Sparing you the specifics, it uses very state of the art tactics to make sure that decryption is not an option unless you can hack their server.
The virus activates by attempting to contact the command and control node. Since the FBI or someone systematically takes their servers offline as quickly as possible, the virus has devised a novel way to call home, no matter what. It has an algorithm, that generates random domain names of various letters. It then tries to phone home using those random domains. All that's required, is for the virus author to know the algorithm, and register a domain name the virus will use to phone home, at some point before the virus does so.
Once connected, it encrypts everything it can write to, including network shares on servers that might be otherwise protected.
During it's dormant period, it attempts to spread, like worm. Infecting whatever machines it can, whenever any opportunity presents itself.
When it phones home, the entire network could be infected, and all at once, your whole system might require the ransom to be paid.
All versions of Windows are vulnerable. Most major Anti-Virus vendors still can't stop this one yet for some reason.
Some people have attempted to use Panda Ransomware Decrypt but that doesn't work at all.
The malware itself is easy to remove, but the leftover file fragments cannot be decrypted even if you have a powerful server capable of performing brute force decryption.
Online backups are also encrypted in many cases. Cloud based backup software often pushes the encrypted file offsite, and many offsite cloud backups only store the latest "current version", so even cloud backups can be vulnerable to becoming encrypted, unless previous versions are available.
There are scattered reports of people being able to use Previous Versions via VSS snaps but it seems like some new variants may be going after that too.
Paying the ransom supposedly gets the files decrypted, but I think that's only true if you pay it before, for example, the FBI shuts down their server. Once their server's "seized" or gets taken off line, the private key to decrypt the data which is sold to you by the ransomware, is gone for good.
You seem to get infected by it, after receiving an e-mail with a customer complaint, which is infected.
Websites and other things are also supposedly being infected, but many people are thinking the an infected e-mail attachment with a message that makes your heart skip a beat and want to jump to open it, is what's spreading it.
So beware. If your hit, hopefully your backup is good and immune.
Lets recap. This virus:
- Evades Anti-Virus
- Destroys backups
- Holds you hostage
- Is very finicky
- I don't like it at all
