Cryptolocker decryptor won't run on Windows XP

[timmas]

Hi,

I'm hoping somebody can point me in the right direction. A customer of mine was hit with the Crypt0l0cker infection and had all their files encrypted.

They have paid the ransom and received a file called decryption_software.exe however when they attempt to run the program on their Windows XP PC they get an error stating "not a valid win32 application". I tried running the software on a different computer running Windows XP and got the same message so presumably the file has only been written for 64 bit Windows.

I copied the customers files to a computer running 64 bit Windows 10 and ran the software which runs the decryption software however does not decrypt the files. I have heard that the decryption software generally needs to be run from the computer that got infected.

I was wondering if it is possible to analyze the .exe file and have it adjusted or rewritten to work on Windows XP. Or possibly I can extract the encryption key from the .exe and use a different program to decrypt the files.

Any ideas would be appreciated.

[1715383636]

1715383636

[debtstack]

Hi,

I'm hoping somebody can point me in the right direction. A customer of mine was hit with the Crypt0l0cker infection and had all their files encrypted.

They have paid the ransom and received a file called decryption_software.exe however when they attempt to run the program on their Windows XP PC they get an error stating "not a valid win32 application". I tried running the software on a different computer running Windows XP and got the same message so presumably the file has only been written for 64 bit Windows.

I copied the customers files to a computer running 64 bit Windows 10 and ran the software which runs the decryption software however does not decrypt the files. I have heard that the decryption software generally needs to be run from the computer that got infected.

I was wondering if it is possible to analyze the .exe file and have it adjusted or rewritten to work on Windows XP. Or possibly I can extract the encryption key from the .exe and use a different program to decrypt the files.

Any ideas would be appreciated.

They paid the ransom? Why the hell would they do that? And another question, if you got hacked and all your data encrypted, why would you trust the software to decrypt from the hacker? Look at actual security companies as they have actual decryption tools that work.

[timmas]

We have been able to successfully decrypt files that have been hit by the crypolocker infection before by paying the ransom. The hackers themselves have an incentive to follow through with their side of the deal as it would become known that there is no point paying the ransom if they didn't provide decryption software. I have searched for decryption software however none of the programs available will work with the type of Cryptolocker they got hit with.

Perhaps you can point me in the direction of a security company?

[ZACHM]

But because people like you pay the ransom, the hacker/ransomware people will continue to do this.
If no one paid the ransom, then they would have no incentive to keep doing this.

If I stole your car and then offered to give it back to you for $1000, would you just pay me or would you refuse to pay and report it to the police? If you are just going to pay me, then I'm going to steal your car every couple days, that way I can keep getting paid.

[minifrij]

Let's not bash him for paying the fee currently, shall we? It is said and done. I just hope OP has learned his lesson for next time; that ransoms shouldn't under any circumstances be paid.


Have you tried running the executable through the command line as mentioned here?
To do this, put the executable in your C drive. Then open a new Command Prompt window, make sure it is in the C drive (if not, you can navigate to it from folders by typing cd / or go to it from a different directory by typing C:) and type the command exactly as it is seen on that post. Be sure to wrap the RSA key given in quotes.

This will also only work with the original strand of CryptoLocker I believe. If you got infected with a different strand then I have no ideas.

[timmas]

In defense of paying the ransom, I was acting on behalf of a customer that requested we purchase the bitcoin and pay the ransom in the hope that he would get his files back after exhausting all other options I could think of.

Some people value their files at over $1000. If I kidnapped your child and asked for a $1000 ransom to release your child would you pay the ransom if their were no other options? Even if there was a chance that I didn't give your child back? I know this is a stupid analogy but so is the car theft analogy, point is ransoms are a fact of life even if I don't assist with the payment of them.

The customer has learnt his lesson in that he will be more careful with opening email attachments and will have a proper backup in place. I however have not learnt my lesson in that I will assist a future customer pay a ransom if that is what they request.

Trying to run the decryption tool from command line generates the same "not valid win32 application" error. I believe it is a new strain based on TorrentLocker, apparently called Crypt0l0cker with 0's not o's. The extension of the encrypted files is .enc

I reckon the decryption software would work if the computer that got infected was running Windows 7 instead of XP.