Thursday, 2 February 2017

Decrypting DeriaLock



Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb).

This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack.

If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:

AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
IV: 9fa4ed4d89b04ee7f3b74c9b46588e18

To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:
openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.png
Or use our Python script or executable to decrypt all '.deria' files that can be found on your computer.

No comments:

Post a comment