Jump to content

Manual decryption of Cryptodefense infected files


Recommended Posts

Hi All,

On Mar 29 and 30, one of our server got the cryptodefense ransomware, and encrypted a lot of important files. On Apr 1st, I found out that there was already knowledge on the location of the encryption key, being in %appdata%/Microsoft/Crypto/RSA/...I backed that whole folder up. I assumed all the encryption keys should still be in the folder, no?

I also backed up all the most important files that were encrypted and we don't currently hace access too. I found the emsisoft decryption software...but I couldn't seem to find the encryption key. I found that the SID on the account I was using was different than the SID that the "encryption keys" that I had backed up was different, so i found an account that had a matching SID on the computer. I tried logging in as that user, but when I first checked the RSA folder, it was empty. I tried copying the "encryption files" from my backed up RSA folder to the RSA folder to the original account, and then ran the Emsisoft decryptor, but it still couldn't find an encrypton key.

Is there a way I can do it manually? How and where is the encryption key typically stored? How is it used and accesssed. I have some programming and development knowledge, is it possible for a developer to share the source files for the decryptor so I can try to do something more manually?

Any tips or help would be greatly appreciated.


Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...