FireEye and Fox-IT tool can help recover Crilock-encrypted files


Since file-encryption ransomware Crilock (also called CryptoLocker) has reared its head, the security industry has been hard at work finding ways to mitigate and neutralize these threats. We've also been hard at work finding ways to recover from the encryption and restore affected files - such as our recommendations on using version control and recovery options in SkyDrive and Windows.

This week, researchers from FireEye and Fox-IT have released a tool that may be able to recover files encrypted by Crilock - without having to pay the malware authors.

It's important to note that the tool comes on the heels of a takedown of a Zeus/Gameover CnC server that was previously being used to authenticate and generate the encryption keys. This means the tool can only provide decryption keys for files that were encrypted by keys generated by that server. In other words, the tool comes with a caveat: it may not work in all instances.

Ultimately, however, it's still worth a try when you've tried everything else, and we want to share as many options and techniques to recover and protect your systems as possible.

The tool, created as a collaboration between FireEye and Fox-IT, is hosted at www.decryptcryptolocker.com (note that you’ll need to consent to their Terms of Use and Privacy Policy; Microsoft doesn’t own or operate the tool and we won't be able to help you if it doesn’t work).

The user uploads an encrypted file (it probably makes sense to use something without sensitive information or data) to the recovery portal, which searches for a matching private key from the database. If there is a match, the user receives an email with the actual private key which they can use to in a stand-alone command-line tool to decrypt each encrypted file on their own.
Screenshot of CryptoLocker uploading a file to their online service
Figure 1: Uploading a file to their online service

We tested it out with files that were encrypted in November 2013 and received positive results (via email) for each file that was encrypted:Screenshot of instructions from the DecryptCryptoLocker team
Figure 2: Instructions from the DecryptCryptoLocker teamOnce downloaded, the tool can be launched with a command prompt:

​Decryptolocker.exe –key "<key>" <encrypted file>

 

The command line operation would look like this (you just need to copy and paste the key from the email and specify the file):

Screenshot of Crilock decryption per file
Figure 3: Decryption per file

 

After applying the decryption key, you'll receive an acknowledgement and consent request, and the file will be decrypted.

Screenshot of file successfully decrypted by Crilock ransomware
Figure 4: File successfully decrypted

 

It's important to note that this tool will not work in every case - it depends on when the file was encrypted (and, therefore, if the CnC server that Crilock used was part of the takedown).

You can read more about the tool at the FireEye blog Your locker of information for CryptoLocker decryption.

Acknowledgements
We would like to extend our thanks to colleagues at FireEye and Fox-IT for providing this kind of support for users whose files have been compromised by Crilock (CryptoLocker).

Marianne Mallen
MMPC
 

Disclaimer
The tool described in this blog is used at your risk. Read the instructions carefully on the tool's website at https://www.decryptcryptolocker.com. In particular, note that you will be asked to consent to the site's Terms of Use and the Privacy Policy. The site is not owned or operated by or affiliated with Microsoft.

Follow us on Twitter (@MSFTMMPC) and like us on Facebook to get notifications of our blog posts and industry news.

Comments (20)

  1. akterhossain butto says:

    all Updates

  2. Bob... says:

    Trying to repair 10,000 files one at a time is a waste of time…. 🙁

    1. binh says:

      HELP_RECOVER_instructions+wie
      file (microsoft, pic, txt, ,,) => + .micro
      Help Me .

  3. sanket2 says:

    Hi my all files are renamed to "gtdc.PDF.qjzoiqi" original_file_name.extension.qjzoiqi
    So .qjzoiqi has been added after actual extension of the files to all pdf, xls, doc & jpg. If renamed manually the files appear as corrupt so it means they are encrypted. Please help to decrypt, if any one has solution kindly let me know

  4. yismaw says:

    what about CTB-locker?

  5. nc says:

    Hola a Todo,

    Se me acaban de infectar 2 pc con este virus, se han encriptado o codificado todos los archivos de la 2 pc, tengo 4 días trabajando para conseguir la solución del problema, he logrado quitar el virus pero el problema de los archivos no he podido solucionarlo,
    sigo trabajando con el tema pero cada intento que realizo no es factible, si logro encontrar una solución para la recuperación de los archivos que vuelvan a su estado original publicare aquí en el blogs la solución del problema, le pido a los colega que están
    pasando o pasaron por esta situación que publiquen cualquier comentario que pueda aportar un granito de arena para la solución.

    De antemano Gracias a todo

  6. SolutionRansom says:

    Actualmente la única manera de recuperar los archivos infectados es con backups o restaurando a versiones anteriores los archivos mediante el shadow copies ( esto en caso se encuentre activo la herramienta antes de la infección). Otra manera es usando
    algún software de recuperación de archivos, esto depende del tipo de ransomware, dado que algunas variantes del malware crean una copia encriptada del archivo original y posteriormente borran este, lo cual permite su recuperación. Hasta la actualidad no existe
    herramienta alguna que recupere los archivos infectados solo prevención para evitar ser infectado, ya sea mediante políticas de seguridad local o de dominio bloqueando rutas definidas donde se ejecuta el malware.

  7. newsages says:

    pero por que no lo soluciona Microsoft? no se tiene garantias de un producto por sus fallos?

  8. lostfiles says:

    there is nothing on http://www.decryptcryptolocker.com anymore :/ site appears to be dead

  9. mou3ad92 says:

    http://www.decryptcryptolocker.com is no more in service , help !

  10. m singh says:

    today i get infected by crypto locker pls help me to recover my files
    i am a common men from india can’t pay

  11. dain says:

    I need a Decryptolocker.exe file

  12. Recep Ağca says:

    My All Data encrypted

  13. binh says:

    HELP_RECOVER_instructions+wie
    file (microsoft, pic, txt, ,,) => + .micro
    Help Me .

  14. Lauresa Tomlinson says:

    I’m not sure if this is the code you want but here is a little from the 1st part off an Excell file
    ‰PNG

    IHDRâèsºQ®sRGB®ÎégAMA±üa pHYsÃÃÇo¨dÿ¥IDATx^읍qã*€_]WPêI5n&Åä I°ìÂJ–;ù˜ùfÎö„¸äî¿¥}ÀÃ1;àZÌN¸³®Åì€k1;àZÌN¸³®Åì€k1;àZÌN¸³®Åì€k1;à™üûüþúÞÚ×ç?{ÌËòñ}Û,ÿþüg}ŸˆŒy%þ}æ„Ü>Œïÿ*ÄàNÌNõ–Ú×ç÷?õýÇö–ÝõWßéV½Äå—ôQë_àµÜöòBwûðç•Ö½T*›šïdþíûcíkbÓ´Vž›åùT¶w6ŸÏÑ?DZýH<¬ï–ÖÙ+Òo´mG$GsÝ·;.âŽØ{DW3;K¼?›Ïùeè¿&ùü÷yûƒq9‡õÅdlÌOÚ=CÕæ!Û^Ù§+8Ø1;
    ê°|I‘/7ºKžé¥Eþ¶}9Wz–WÚáÅÔJ3Þ»Ð8lÿBÝ_<)ôÅËDçFÜ_‰ñíû–çTrÏçhôÓLGâÑô{öžÕ½ÜZÛ$5üª…UckNتcq»IÝ,m³[ɵf-42ëxÛ²7½NmgŠŽAíšcÀzyl_0Û£^ªÝÎlŸ²YëÕîK`Ô_±’ÉêmHËÑü§Å4GâQ÷ì=­¿Í­‡(Ì9â—«[‘û„­º†»üú+[~C¦Äd¿$qj4
    ë.¤_ŠMì4þÏ]Ç7³Æ!ÍÑuf؉忋mÝŸŠ¾bÃèÂJä•ym1£Ú92¦×eÅå¬oVüÒÜõsÀæbßÒV{”Ì¥¥\Êœ‘-OÃì4è_Àò;PzÙ‘÷µöÅwû¾“§^ ÊËÛŠ~‘Ò/½côûXj­ÎãöÈK`ö7#C³}öe-Cú«ì[ío?¯ãîÏ‘îÛZÿ²ŸegÄeÀÞÓúÛÖÆW_Ĥ6Œÿy¿ºVô°5c]]³8ý–L56õI¼½K
    »¶ÛïrþzFc<‚kbG|ØÇbyÈï¦.4nϧ¢_û#:$?5¦_šœÓÕ —“¾õ²k"6‹ŒdÎ6FÄîõjŒøAÌNã,¿-/6óòÚ3Æü f§ýbªÞq¶–_~ô‹®ñ”Ö_´d”çÍF½ Y—‡í±_¨ý¢²y×­ã2¾Ôˆø«l±Zñ÷`ŽÔ­÷Å#hïYýV~27R?GürÐ^eÄm-D.\[~K¦5vz)eSâÜÄM3ãùc×ñŠQ3]¾C±¬Çé¶Í1lˆèv|’©‘šÌy/¶ìÚŽÓc]V\lÙsfó″6ëœpo‚Ùi༷/³êâÁÑR²º‹
    õÝ¡;õ‚æ\~³Ç³1:VÙ³4ÿ0à¯y¡¢/ü—ävþÚ,»ÝCÙ³xœ±wªžßsðk) íO¡ó÷„­VÌäF¡Î¯×oæAÆš¾t²¼øÈz]nŒÇxþ(U¿½†»Ë°P,[~ï6„t{>Mõ’úX÷òYæ˜&§Çtv¹9éÛl^Äf‘‘ÌÙƈØVŒøAÌNƒÈËñÒª—uû¥TÆ«¬‚Òc~ï¡t5昈=Öœz”—:ã%³»|ἤÎý•ÒFFûRz&G•¢ßÔŒGÜÞºo¬?’ß
    ™«ìÍs×è—éÙþ¸­+6EpŽSgúË2%6›­ëg]+ßžÎì£]³±1š:îëBÍz±.¤;âSÕ¿ÉíÖoÓÙ¥ë­_^žCcBºú¸œöÍ›—ìX?l{›³LcÀbvX/`;ê®z¡Ú‘—’ÕZ¥§¼DF—6ËÍ1{”ÜÒZ»Æ/¢ÒòˬFûk´¯Û÷Í‘Ýû|>Gê]U5ËÞY<üXŒr4×o镦_°uÌã/Þ‘<{v&w¶‹_–4Ó&•Ÿ"KnqÈ6ý:çU¿ÌµPésò™m3j©cú3¨ã…:_ß·²@v¿±¬qÿ¾Ë°Û‡ñ=¼ fgÇÇm¿¨.»ÔÁ÷íû£ŒÿX>í-]ëè°Ç÷—¹!»7š;É¥
    þ½:5ø¶È•¶ù¢eÉ…ÓÙøxMâ6¶½Í{þÜÇ]䲋JÞÚ×Ê¿&­®Q¿êËMÏQº‹.qnWëKþ<Š•jf<,¹#9mÝE×Á†–獀Ә&í¥Jþ|ûÜ/)¼‹u‰‘çv—u녁¾°PrÊ…ˆºTh.$*ô…úÉ©d¯}¹àÈ
    Ù-v]ežsWßv,}Ê×¥%EO–qO|¼þˆíJÏ-Y[¹ÔÛ¬ýÒyÞÚ¦SË϶ݓ)ZÉ…’³ÕCk“!·›³ÐÉŽÇ*!ÓsþV<Æ}nî”ÍeÌ‚»t]V6ÀE˜6åE=],ä‹€ôç|‘¡ÿl]¨¾î£§¿dq.hú¡ó‹×î*&û<ë’D£.<ò…ˆˆÝ/@Œ1-ñø8ý!ÛÕ%P5Π½¬RŸS«û¬Ë«lÛùÈc½¬6nf½´ºZßÒ˜N÷X-t9_±âaôr^Mžj{àBÌN}‰ò±ÿy}iϪ?ýÙ»ÔH}抺4©Z¾lð.šÚ‹…½Ýç/~ä²Ãi–EFúzëë.eŒ1çãc÷Çl·.†<ê‹ Í©‰êr¨\öXòÏ磌UH(Sœz}õ÷y^cƒÒºˆ›Æ꾋¸Pî‚ë@diÿà˜r9Qþm³æb@þÍ3õR¹@‘ې2¦¿ ð.š‚—ç/~Äì—Ê×ðEœú|vÌöc—KŦeì&?ÉÞõ/¾}fE–%ÿ|>ÊXšW~Z·ãÐØ e¼ÀEœm³A`pð4ÌN¹ØZ!²7}¹pòB뮋¸ŠÙ¼;.~ÚÏEæ«èEœ|ljýjþŠØÜÛÛ_ræ1’”#’Xu9_™Äc£…œ»Õm‡³tlìõavú¨—ùåµ]]¨Ô0Õ}ðEÝ=-íëûv+×®žú»öÒekã‹S[§š§QŽF/âª1k;?ncۏ].%ÄN#]7•Oþ}ùèÑòt¼2ÊŽÜš.“Ôä×°³îc±ÓÏ\ÄmŒr]zqÅìø]¸OÃìøUðS_𘝿õk©í¯›R Ûše߿ΡÁždøÂ%&ÀŸÁì4Ð/+êÅL¿PL_xžÌ©Kåç«ù=\Ä ¦/öïxçørïEÜ×ç÷¿½__féË.¹«×ùÖß®}ý¬Jmßúž­–%öô1оÊ6´û¢bÒ^Ú‰¾wÜKàÌNõÆ’_B^ú¥BÞŽ¸ˆû­œÊñ_ƒšþ9~Sì_.¼ˆ3ÿbgò—=ÿ>oõÚWϩܼŸÔÿ›ío÷Ìsü—­IùÇ~FÇ€æ§$†/`zìÞœ®ò’Ô½¤(ë‹Pþì]ú©§ªeyÎ÷Å.o~Ò7›ÛÓ½°é¾2¯}!ê±Çy/œ‘ñbonýËbÿ⺴dÛEùœÛà娷u%dWbŸÖî¥O×þíVþœZ•5®nŽ½áü·xö{ñJ1ŸåC}Ÿ›¶ãa1ØÖBT÷‚[³®ÿ_ß_E¸Ž»ßÔ|kö‰½¡#·31WHìC­}_NØÔëÛûu­ä¸èB¨be#¾Ý¾o•ÍØ¢ëöý)ÆØ5¦žoROûXeŸö·çù
    ³ÓG¿(åÖ½TÈK[~‘—’ýePÉ)//òÕ¿¸,/xêu§¼PŽtöòÒ=×z1R/œÕË[dnÍðE¬Èjíèq^“»æ‹ït¼è(ß—9“—È4.}¾;ŸÚXY:”v©1³ø,Ü®ÆÏØ{¢Îæö‹Åþ•Q>zÛGkøÚj!¤Û‰]š»~øoÙ¨t®q5lè}‹Ä>÷_óù>Û¤t—9­î±}•/’læ¦tï¹×zuÓó
    µ%Yÿ“>F2YÙR÷¯uàŒëe:~¬Í‹üBÌÎ!ê½cmå‚cÇ|©i_°Ôç2¿½0ÚŒ_¤T_CÿÂè¼lôsZõëÒ꾸¦¯¦ãKœ´û5_³Xޛπ
    ¦Ø5§²;ׄ’[^¾#rgöˆ»Îæö{5íçÔÙúü¨”ïõÐ=õ ˜uy°lh.‚B±ïä+{OÄ\tì¨9ñ}ȨyÏ—36iùêBM¦5—lå£é±jÜêWûy—»³½ã:­çöý*.Ê–N¦Ž{‰ß¨à—bvN°_<2òž¢_,š—¸öå0)G/ƒ6¦ÎN^BÙQµ<ÏyÙÍmû׾՞ŖÍ÷ÔW^Öª8Nô4/Ò¹•—à–ÉxyatÚ;§¶Ž3ù<mƒ™cEÄ®i<
    »Õœ2®‘{ÊÞ•ƒu6µß«i?¦í­œÅ R§uWŒ÷—z~°ºXÇcoÛ{<æ¢##ºÖ9ëøeìp²bãør§M]«âÔ té–õv1Ù¦ôHÍ){E˜Ìmúå‚NŦk»Lm»öÑ”¿³s‚zéx§‹8õ“_¬ä,Ïs^6Cs{ʘEÖ&"Ýu,±ûÌb³®¨žÉiÇ`¼¨ôý˜Ž¹3Ÿ§mèt4„ìªÇé¶ÅÓ°[/1oäž²W&óß2´ß©éÃùð×ð•1°u7œÕ]1Ù_”ŽÛgþ³²Ù²¡‹u«zÜ–ä™ùÕëяwBBŸ‘Nü”A!¿àÝ1;’¨Šò’!Ì.ŽÖ—
    õùŠ‹8Sg#OÞwdL?Ï~YŠÍ5P/YkÛenÝòÂçœÓã¼à¹4ã‹ÒÁ‹ål̽ùØÉq;’fWKOÃnë%½‘{ÆÞòµšª³ŠÖ~¯>ü|˜:køÊÌó³Ð=—3Û_Ô÷¹éýβAÅzë‹Çþª˜‹E³·]çÖÝïCvl_NÙ¤ä[UKÓëU⫈ÄfAâêÇÇcû+¡­Ç¶RŸå³¥Û¿³s‚zA1_ú—þ%³#/8Ɖ~ñ³P/aý¥Ö&oøÂSì:ñ²TæZ¨X-­Gj2?¢gã¼Ë‹´0oûœçn6;c’¬õó½ùØȱÈËÌí:Ÿ<NÉr»Ë‡ö®¶Tß+ݪNº9§ò;ÊG`
    ?(GkÁÕíÉIs×Ï#ÿ7Äç­] Æ.F‡bQÌWY-Çö!Û¾A<KwÔ¦¹¬27˪â§ëh³[|itZö5xsû|ö9ê±b·£lq÷/6ð[0;'¨—:÷EA½LäÖŽ•7©µÝnåg¼ÐXLåé—·Ô¾–1Ez ­_Zów±¹=2O½äéÎÆ·™žúå9·æåSo[FªNsLÎë4þó|Nm˜ê0˜Ì™ÇÇ°;zùpÂÞzʼÎbùµjz–É~`ÃZˆêöä¬~Dö·&þz
    W­ÍÓ‘Ø_sIƒ§}ðì¨ú
    _NÙ¤ä7Ï…:_Ûü¦„J+úò*›»ï6D§a¯¡<_*gú墍¡ö#1ò~f'<ìßiRÿ¶Uû¿%梠þ£HQÿøý‹pY®ŒûÏ£ÿ±ÿÔºðÿU¹¯\‹S_cÍ;Üÿ¶ß›ðÿsx ÞzÈëfôlŽŒyE^pOx볐Å#kãªü½kýfô¿ü[êæRÖöÒ~Áû(¼,f§l mAJ­Þ¾?TÿSxêEœÞ#þ8/Âã1;
    Ôá©Ù„dƒzäCÇÑÿ°E¢6õ¢ïì6òð Ð=ð_ˆËò`ÅýYø5~I—wX¸s½<ª"r»1–_^</ŒÁ)"5vÞF;ï¯Ê«æè
    žýÌøM¼B]ˆ
    ¿3OÏŒ¥Ò¥ö%}™¥_TËÖ<¶þö¹ jemc_Dvjµ,±'Ë°k ÛcÕšn_¸E߁‡öoxýÏ!Çp´f"c~k}Dö„'?»¤g¡÷áºÚx\þlÕ¼ÞãÆDbðSüìÞ5çgì“z¿õoÙià/€SÃ8úŸzw–‹6ÞîÿBp×!ézÐ…Ì£ê!"7¤ûgšs[cÏû¥¼jŽ®àÙÏŒßÄ+Ô…Ø@žîÅ~IÕk¡äÙêSüû¼Õ{~Ùð¤™?}² _Š·¦Ÿv͉øý|é¬_sß
    =§B{„·F~ríä.moøŽw¤ãþk¹³1­_£x1X™ÄøàZ«Z峧_s.O~Þ™¹
    íÊŸ—˜)Á·E·´­>µ^Yo³XüTŽ,®–;ð퀬>ŸÞZ†sèî/-–¶ÆÄ«“¯ï¯”Ü©«Ô?°a«W©±cöÜôcÞø^d[ý¶ß¦}ÊŸò}1b¾onsŒXFã¤ÆÕÍ«O’ZN¶A³Ê±¸}û¾eaÖ¼¢kyÉc쵡βö±Ê>“nœ›ûcÜ4ÞñÚxß©ÏHÁš±|R1–³xÃdŒ¿–¦q±™¢Sê&ûÑú¦>—zŠì Ƽpì’þ¯x¹7êΰ»jV;”¼Üªy­¾üyµò½n­_zl]?ž?[¿­þvüÒ²[Êx«ß“1³o²vÕ—ñ3´ 5Ðúp7f§ZÍ”¼/½àUA§qía¢|_æ‡G¿Þd÷ÒÿÃ}jƒ(úŒ¾~±½ÛðÜEÝÎYúd’ØmîÇ´º‡‡Ó}L”äSƒ1§·7’+îòsíÓÈ÷UôËXÁÞ¸¯ª¡¥¯‹oKš£íSº‹M¹‘1ã¼Õñ[ú[Œ1Áuaç=à_¥3y‘Ûò}º´Õ5vii_y:o³XüDŽZ/·ò-$Kü/5_æyë-0ç îöqêãmúX1¨©ÒmTqÖMÏ+Ô¶3Š­™¬³O|RöÊdeKÝ¿ÆÍ×ËtüX›¶ÏˆÍÁ”«®ì_?븣/¢¿ÙÄÚx‰NÁŒa#×ÓÚ£>w›ñÒê¾]NȧkN»y‡òÐÇøa~2v…ô‚„L?ÜÏÕP¤6ùcDÎ`­žÒm­oϸ?Ç^œD‡ÐúlÛÚr.O©Oº$ï!ÿ´Îj,¡Éœ­¯ÓcŒiécñó9z\îß”²ÊçÑ^•ûw”séöüÔ‰ás—sË5oë{…µ[ÛT†g?‘˜bbú0BùSÖZãÏ\fËHœL¹ÓX*]j_’iúµP¾0š«Æ­qh?ïãrwöiìC=·ïWùí±*–%¾æÚ1bªWo8ý–̦ÆÕL›3õ]¿è˜âß`-…âb æ­zun–V÷e9Ê×Ç:^R¶Íe^ öÿckϲ»Gdi}Þ¥¯óEékdÅì͈œ®6~:ÆwzžZân³^DyßôX5nÕÙ~Ö2gt1Rˆ¡ýw+Ê¿®fú=§«¯®nêy[_/§–¥lkä™c*æ6ž‘±Rbg×Ñꛑ7 ùžïQnG¹¸³ÓÀYR»ý‚×-/~YlNkäo8ú­ÍEV׺`Îé³F_@¿¶ýK~†x¸˜»˜&¹æ˜.NÖf´ÌÿØìN}%>y3
    ùÔ`Íil‰å¡ñÃüì°k,¦?÷2­ï\
    ™64c6ù-ÊΪmr”rcº
    ¿ÜÌq¸.Ç>Û¶¶œËSê“.É{È¿‘]”`ùjëëôcæ±ø© ’ëúu晚ÐmÇC3®ßz~°Ž»Xý|]hÞs3š§#1ÑMâÓ Æ—µÖú3•ÌM#׌÷4–JWÛ²n‹‰-#û•É›²W„ÕqWýó}-5#þÚGS^C þqú-™ƒu¢[2W¯Ã†Á˜«ö/-Sú[ç­s–ñÃó™±>{Bx]5±ø/¥3Z{–ݍ¾ªùù2õuõåé;¸Wëç‡ó— ÚصVŽFÕ†n¹Nºšµ¤Ìm}ör­Äe¡žoŒ5ínk©ýlÉÎ:›±“8örÆ6êæÛ»É
    í]¢|ùØØ3<Cïrp'f§½æ",(süG¿µ¹ÈêZÌ9}Ö¦ÜÜý•íº©õÓæ_}œÊ&µ|Þæ¤ñû¸Å†ÏÆó³£—™ˆêo‘éû±ø•¹’ëúvv½M͹D÷¤~•ŽÛgþ³Š‘eC«Ÿ¯‹J†nÓue0‹I3F7‰‘=¶Ø-†2Ïí1¦ÏÓX*]{üDŽÒ5BOhkÄj†·y5² {–çÛ†„ ׇSÃÊ ×ï@ü5âô›þc‡5³Ë2ÐçëûÄhŒ„å¾ý«›³£uoS’žÝÿ%gýùÌÚçT¼tS{Bx]5±øoŽéü7ôËÄ¢¿÷Ø6µ5cÅi0¿³wcV??š¿±jÞ.O…]å}€ž°êpìÍ­²;@©Ã~­˜¹ªðã²¢jüêç¾m›1VéЭè›Ù8•qľ•[.âàÅ0;
    úMnܯiTÿ‚¶ ¹¹´òOé³6=£/¢_ÙžÆÈXÍi0ҍ\sÌО½í¶oÝò}–’äSƒ5§í›ÉXécü0?;ìëowõr †”õ°É$2§•‘Óm­gÍžÍq NŸm[[Îå)õI—ä=äßÈ.qlùjëëô4cäã(ÏÏ‘èØx”ܧ?3″s.Ñ=«_õ}nz²lhžQ¯P­M¢çˆŒÌ$&žÿ;ÊŸò[ºq¡zõjÄé7ãeÙ­ieÙ>%²yþùf2¦óÏ ÇÆ2no{l¶në|¦ä”8Öñ2÷k^$öÿck¯×/®Ë¼^V7S_ç‹’OÇ‚ãgîvëGœØÚ3ó·3¶±_µ~–Væ-‚DŸ¢­Y7ÖEìé|(ñõdúqé¾ÏM¯¿ÈÐñR:bu¸÷,Y;Z¶}óØ-”1iêÖ’ÓvŒ1ý|€k0;m¬”U‹1÷­‹V/’nŒµaÊ\{Q;s¬Í@VWÿ`<£ÏÚDr_H»Ù)9eLƒW ¿'×Ù0õæµ´~lj“
    ¶ó©Á˜ÓÛɃ÷ùÙáÙÕ_#!Ó²NÖP¨jÄÆü½®»ÝîˆÜn+o^<­±âòÙÔßbŒ‰äié“®£54°K¾|µõuzš1‡cñ¤m²4’ëø’åÅe³­Ì«Ì¹Gwš»~¶rS#ñÛZe¯aCo×K÷³êBéžÅj¡ÍÓ(&ëw:–ÊÞ¼ÞjzŸ‹;»ms™F,#q2lku'NJV™›…5ñ[N%žNˇo®ôç:ìãÜcÕäN$æVl"yðbˆu–Ùú{¨f*9N9n³1žìÍ®Õæ»â"¹L­AjÚ6%§Ä¤­5ÆÒ?XW}­óß_{½~ÑeŒêïëh·®DÈÞÄ‘úÙÚSóWÍõl´â· bPtä 4y–Øl:ú¼íXë Ä W#û×Ï£¹u.Û›‡µTÅf^‡ëgm—Q{õ¼­iç2&þìRN9D¨®¥9ùÿõ‡y¾Âƒ1;
    Ñ3Üþ4Ñ_})Æä­H?™ J€¿­¶îrþ­Ÿ>ÉDÆübþèžÛ+Þ¡6^ØF}±4lb»<‹®õçžûo÷þ³{<³ÞyÙZNŽý¯ÍüɃå$&o…ñ+BKã%áÅá…îçø³±g¯xMt^®ºŒ{‡çþ›=‡Õ¯ª¾ËOïÁ[bvÀµ˜p-f'\‹Ù ×bvÀµ˜p-f'\‹Ù ×bvÀµ˜p-f'\‹Ù ×bvÀµ˜p-f'\‹Ù ×bvÀµ˜p-f'\‹Ù ×bvÀµ˜×òïóûë{k_Ÿÿì1Žߟ9(·ãû;!毆ÙÙñqÛou¾¿¾?ÿå~u™ô}ûþ(ã?–O{K—L\

  15. privato says:

    where is the tool, please

  16. Ferenc Halasz says:

    The decryptolocker dont work from august 6. 2014.

  17. Sam Ryan says:

    Its easy to get around Crilock ransomware you just use task manager and end all the internet explorer functions and webpage activity I been doing it every since crilock first raised it head,

    Crilock ransomware does not lock your files at all unless you keep clicking the links or try and close it via the webpage X ,

    First note the type of message warning you get write it down then leave all the webpages open.
    Now open task manager end all process associated to the internet explorer or google etc then close the webpage and reopen the web site and close it normally then your access to your PC and files are free.

    Then just to be safe update your anti-virus disconnect from the internet at the modem and then scan your computer once everything is scan and no infection is record.

    Reconnect to the internet then open your web browser and research the message of the website that tried to lock your pc access to the files you be surprise how easy these websites are using companies Lego’s and website information like Microsoft to place hidden links into your searches to try and block access to both your pc and web browsing.

    But as soon as the first warning message appears stop clicking altogether this is why people pc are being locked in the first place it as the ransom where is recording your clicking of the keys and mouse so just stop and immediately open task manager then end the process and follow my steps above.

    No need to use any tool to unlock your files but always follow it up with a offline virus scanner to ensure you are free from hidden nasty that may down load without your permission.

    The other advice try and stick to sites that you are familiar with and regularly visit and do not click on the links in them even they can be hi jack.

    other thing watch out for companies like promoting their anti-virus tools spyware etc. they can be just as bad as ransom hi jackers,

    I found scan guard to be the worst for entrapping you into purchasing their anti-virus software promoting top line for x amount then after you pay your money they give you the basic anti-virus program and then want you to pay more to get tools you do not need and your purchase is useless cause the basic tool is locked after they download without you permission update you never wanted and one you thought you already paid for.

    So just be careful what you search, download and pay for as many companies are pulling swifties to ensure they get continuous work and make heaps of profits infecting your pc, promoting in needed and unworkable software and entrapping you into software deals you do not need.

  18. Sam Ryan says:

    Just to add further even apple mac get these ransom ware lockers so do not think its Microsoft windows alone it every operating system and software app from mobile phones to government servers that can get infected no one software is free of the possibility of being targeted even internet security sweeps can be hi jacked by ransomware,

    Its just some people are very lucky and others are not due to the timing of the ransomware running the internet and in which country is being targeted.

    this is another advice take the time to understand what third party software is running on your pc other than the operating system as these are usually the culprits to why your computer get infected and or crash your pc in the first place watch out for trial period software they cause more problems than they are worth stay clear of them if you install them immediately under install them and find out where their hidden registry key is and remove it.

    Trial software can act like crilock ransomware too once the trial period is over and its very hard to uninstall some of these trial software as they are interlink with operating system share ware files or in other words critical files that run your system.

Skip to main content