Eugene Kaspersky, head of Russia-based security software supplier Kaspersky Lab, is fighting allegations that his company has “close ties” to Russian spies.

Last week, Bloomberg Business published an article accusing Kaspersky Lab of excluding Russia from reports examining electronic espionage by the United States, Israel, and the United Kingdom.

Bloomberg traced an alleged change in focus at the anti-virus shop back to 2012, when high-level managers began exiting the company and being replaced by what the news service claimed were “people with closer ties to Russia’s military or intelligence services.”

“Some of these people actively aid criminal investigations by the FSB, the KGB’s successor, using data from some of the 400 million customers who rely on Kaspersky Lab’s software,” Bloomberg said, citing current and former employees who went unnamed in the article.

“This closeness starts at the top,” Bloomberg continued. “Unless [CEO] Kaspersky is traveling, he rarely missed a weekly banya (sauna) night with a group of about five to 10 that usually includes Russian intelligence officials.”

While the chief did not deny the social gatherings, he did assert that they are not conspiratorial, and that the presence of spies was purely coincidental.

Kaspersky (pictured) spoke out late last week, writing in a blog entry that Bloomberg’s piece is nothing more than sensationalism.

“Exploiting paranoia is always a great tool for increasing readership,” he said, adding that, “It’s been a long time since I read an article so inaccurate from the get-go—literally from the title and the article’s subheading.”

As security expert Graham Cluley pointed out, Bloomberg’s story was published just two days after Kaspersky revealed more details about the long-running “Crouching Yeti” attacks, which target a number of countries—but not Russia.

The nation’s absence may seem odd, Cluley said, until you read that, according to Kaspersky, the authors of Crouching Yeti were likely Russian speakers.

“Clearly Bloomberg missed that piece of information,” Cluley said.

Investigating state-sponsored attacks can be awkward for any company: Silicon Valley-based FireEye CEO Dave DeWalt told The Wall Street Journal that he would think twice before publicizing a hacking campaign by government-backed Americans.

Kaspersky has indeed probed attacks attributed to Russian cyber-spies, including Red October, CloudAtlas, CosmicDuke, and Epic Turla.

“I must have said this a million times, but we do not care who’s behind the cyber-campaigns we expose,” Kaspersky wrote in his blog. “There is cyber-evil and we fight it. If a customer comes and shows us a problem we investigate it. And once we take the genie out of the bottle, there’s no way we can put it back.”

He continued to pick apart the Bloomberg article line-by-line, responding to a number of allegations and attempting to set the record straight.

Meanwhile, Kaspersky alluded to dealing with mistrust as a Russian company when he tweeted last week that the company’s next research conference will provide better accommodations.

“It’s very hard for a company with Russian roots to become successful in the U.S., European, and other markets. Nobody trusts us—by default,” Kaspersky said. “Our only strategy is to be 100 percent transparent and honest. It took years to explain who we are. Many people attempted to find ‘dirt’ on us—and failed. Because we’ve nothing to hide.”

 

Ransomware is a particularly nasty piece of malware that takes infected machines hostage. CryptoLocker was successful at garnering  multi-millions in ransom payments the first two months of CryptoLocker’s distribution, according to a recent blog by FireEye regarding the takeover of CryptoLocker infrastructure – Operation Tovar.

Operation Tovar helped tear down the infrastructure used by attackers, but there are still many instances where users are still being infected with ransomware. After the success of Operation Tovar, there were few resources available to help decrypt files that were still encrypted with the attacker’s private key.

While not particularly innovative, CryptoLocker was successful because it encrypts the files of computers it infected and then demanded a ransom for a private key to decrypt those files. The harsh reality of a situation like this is, not many people back up their data. In some cases, the backups would be encrypted if mounted to an infected machine. As a result, many of the victims felt helpless at this point, and paid the ransom – typically around $300. A simple description of the way that CryptoLocker works can be found below:

1. CryptoLocker arrives on a victim’s machine through a variety of techniques such as spear-phishing emails or watering hole attacks.
2. CryptoLocker then connects to randomly generated domain (via DGAs) to download a specific RSA public key.
3. At that point, an AES-256 key is created for each file on the system.
4. CryptoLocker then encrypts all of the supported files using the generated key from step 3.
5. The generated key is then encrypted with the downloaded RSA public key from step 2.
6. And finally, the AES-key is written to the beginning of the encrypted files, thus requiring the private key to decrypt.

Figure 1: Screenshot of victim machine infected with CryptoLocker

Not all CryptoLocker variants are created equal. There are several copycats and hybrid versions of Crytpolocker that exist, ranging from programs like CryptoDefense, PowerLocker, TorLocker and CryptorBit, to variants that are not necessarily named but have modified functionality, such as using Yahoo Messenger as a propagation technique.

Decryption Assistance

To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT. We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware. Through various partnerships and reverse engineering engagements, Fox-IT and FireEye have ascertained many of the private keys associated with CryptoLocker.  Having these private keys allows for decryption of files that are encrypted by CryptoLocker.

FireEye and Fox IT have created a webpage, https://www.decryptcryptolocker.com, where a user can upload an encrypted CryptoLocker file.  Based on this upload, the user will be provided with the option to download a private key that should decrypt their affected files. The site also provides instructions on how to apply this key to the files encrypted by CryptoLocker to decrypt those files.

To use the site, simply upload an encrypted file without any confidential information. (Please keep in mind, we will not permanently store, view, or modify your file in any fashion.) Enter your email address, to ensure the private key associated with the file is sent to the correct individual. Ensure you enter the correct number or phrase in the Captcha entry field.

Figure 2: Screenshot of https://www.DecryptCryptoLocker.com

After clicking “Decrypt It!”, you will be presented with instructions to download the Decryptolocker.exe tool from https://www.decryptCryptoLocker.com (Figure 3). In addition, your private key will be sent to the email addresses specified.

Figure 3: DecryptCryptoLocker decryption result page

After receiving the email (Figure 4), you will then select the key and utilize it in conjunction with Decryptolocker.exe.

Figure 4: Email containing private key

At this point, the user opens a Windows Command Prompt, and browses to the directory of the Decryptolocker.exe tool and the locked file.  (Please note that the directory of the locked file must be specified if the file is not local to the tool’s directory.) The user must enter the command exactly as specified on the successful decryption page. The command structure should be used as the following:

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Upon successful execution of the tool, the user should be presented with a prompt indicating decryption was successful (Figure 5).

Figure 5: Successful decryption of File1-1.doc

Conclusion

Operation Tovar made a clear impact on the distribution of and infection of machines by CryptoLocker. However, there have been no known avenues available designed to help users get their encrypted files back without making significant payments to those responsible for infecting machines in the first place. While the remediation of infected machines can be somewhat difficult, hopefully with the help of https://www.decryptCryptoLocker.com and Decryptolocker.exe, we can help you get back some of the valuable files that may still be encrypted.

As always, to help prevent a threat like this from affecting you and your data, ensure you backup your data. Ideally, this would be done in at least two locations: One would be on premises (such as an external hard drive), and the other would be off premises (such as cloud storage).

View the free, on-demand webinar DeCryptoLocker: Relief for CryptoLocker Victims for additional information.

FAQ

Are all encrypted files afflicted with CryptoLocker decryptable with this tool?

We believe we recovered everything the from the CryptoLocker database. However, we are aware that there could be a limited data chunk that could be missing which is related to either the takedown or interruptions of the CryptoLocker backend infrastructure. As a result, certain files may not be decryptable. Also, new variants of CryptoLocker may be released at any time, and the tools we discuss here or have made available may not be able to decrypt files infected with these more recent variants.

Does this tool work against CryptoLocker variants?

There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, this tool may not be successful in all decryption processes because of code and functionality variances.

Does any of our data get stored by FireEye or Fox-IT?

Under no circumstances does personal data get stored, processed or examined by FireEye or Fox-IT when using this tool.

Is this service free?

The Decryptolocker.exe tool is available at no cost via the website to anyone that has been compromised with CryptoLocker.

How can I use the Decryptolocker.exe tool?

The Decryptolocker.exe tool is designed to perform a few different types of functions.  Here are some examples of various prompts you can enter, depending on the result you would like to obtain.

1) If you would like to test a file if it is encrypted with CryptoLocker, you can enter:

Decryptolocker.exe –find File1.doc

2) If you would like to find all files encrypted with CryptoLocker in a directory, you can enter:

Decryptolocker.exe –find -r “C:\FolderName”

Note: Remember to include the “-r”

3) If you would like to decrypt a file encrypted with CryptoLocker, you can enter:

Decryptolocker.exe –key “<your private key provided in email>” File1.doc

4) If you would like to decrypt all files in a folder, you can enter:

Decryptolocker.exe –key “<your private key provided in email>” C:\FolderName\*

Note: Remember to include the “*” at the end

5) If you would like to decrypt all the files in a folder or drive recursively, you can enter:

Decryptolocker.exe –key  “<your private key provided in email>” -r C:\

Note: Decryptolocker.exe creates a backup of all encrypted files in the same directory before writing the decrypted file. If you do not have enough space for these files, then the prompt may not execute, and your computer may run more slowly.  Ensure you have sufficient file space before proceeding.

 

Disclaimers

There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, the tools discussed here may not successfully decrypt files encrypted by every variant because of differences in the programs or for other reasons. Also, while we have many unlocking keys, there is a possibility that we will be unable to decrypt your files.