Where can I find the Decryption key

[Rocco 0]

The decrypter could not determine a valid key for your system

 

Tried to use decrypt_autolocky

 

Virus was activated on one workstation (Windows 10) but infected files on the server Server 2008r2.  Where do I run the decryption tool.  Running it on server gives me the key file not found.  I would like to run a test first to see what happens to the data. 

 

If some one could tell me where and how to look for the key file it would be helpful.  I am working on a dental system and trying to unlock digital image files.  Of course the locky disabled the shadow copies and the backup has not run since last July.  Yes they are in trouble so if anyone has any useful info please advise.

[Elise 277]

Hello,

I'm sorry to hear about this. To confirm this is indeed AutoLocky, can you let me know what the name of the ransom notes is and how the name of the encrypted files looks.

 

Unfortunately, if this is AutoLocky and the decrypter is not able to find a key, then decryption is not possible.

[Rocco 0]

_HELP_instructions.bmp this file is the ranson note in a bmp

 

here is the name of a file 

DB303AED06A80C42B194C9322305946A.locky

 

hope you can help

[Elise 277]

Thank you for the additional information, this confirms the ransomware variant. You'll need to run the decrypter preferably on the computer where the infection originated from. If it cannot find a key, then unfortunately decryption is not possible.

[Rocco 0]

Does this mean that if the ransom is paid we will still be unable to decrypt the files

[Elise 277]

That is very hard to say, Based on what I've seen so far, I'd say that it should work, but while I understand it is important to recover the data, it is always a risk. Generally speaking, decryption after paying the ransom should work (even cyber criminals realize that people won't pay the ransom if they cannot guarantee decryption). 

[Rocco 0]

_{Thanks so far you have been very responsive and given me a lot of information.  One more question Then why can't your software find a decryption key.  Maybe I am just using it incorrectly I am just running it as administrator from the desktop is that correct.  The Dr. is willing to pay the ransom which is steep 3 Bit coins.  She know she did a very stupid thing by opening the email and enabling the macros.  But worse she has not checked her backup in over a year and it has not been successful in a while and shadow copy had been disabled by the virus.  So as you can see this is a disaster if the ransom solution doesn't work.  What are your thoughts.}

 

_{Kind of name does the key file usually present itself as?  Thanks for your help.}

[Elise 277]

There are various ransomware variants and even each family may get "updates" (which means that certain vulnerabilities/bugs that we use to decrypt files, are eliminated). This means that the key file likely is no longer present on the system, but stored remotely. It does not mean that decryption after paying the ransom is not possible, usually this will work, although decrypters may be buggy (I haven't heard this about AutoLocky though).

 

When it comes to ransomware prevention, aside from having a good security solution that detects the malware before it can touch your files, a backup really is extremely important. There are various excellent backup solutions available that store your backup remotely (and require you to enter a password before you can access them). I would definitely recommend that if managing a local offline backup is not possible. This is not free, but at least the data is safe (not only very useful when a system is infected, but also when for example a hard disk goes bad).