Giter Site home page Giter Site logo

exploitcollection / linux-ransomware-decrypter Goto Github PK

View Code? Open in Web Editor NEW

This project forked from eugenekolo/linux-ransomware-decrypter

0.0 0.0 0.0 20 KB

Bitdefender's Linux.Encoder.1 Decrypter

License: GNU General Public License v3.0

Python 98.70% Shell 1.30%

linux-ransomware-decrypter's Introduction

Bitdefender's Linux Ransomware (Linux.Encoder.1) Decrypter

More Info: http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

How to

  1. Hopefully you have NOT deleted any encrypted files
  2. Run sort_files.sh / > sorted.list to obtain a list of the encrypted files sorted by encryption time
    • Note: run sort_files.sh /path/to/vm/partition if the data was on a vm
  3. Most importantly, obtain the first file in that list, be it X.encrypted (head -1 sorted.list)
  4. Find the seed using ./decrypter.py -f /path/to/X.encrypted
  5. If you have the seed you can safely decrypt the files. Run ./decrypter.py -s -l <sorted.list> -e <error.list>
  6. Check decryption was correct and clean the ".encrypted" files on your own.
    • Note: Unfortunately, the ransomware does not preserve ownership (user/group), some things might get broken because of this.
  7. If you have files still encrypted they will appear in the file you provided as <error.list>. You will need to redo steps 3) -> 6) using the <error.list> until no more files.

Example

bash decrypter/sort_files.sh  > sorted_list
head -1 sorted_list
$> ./d/home/user/.bash_logout.encrypted
python decrypter/decrypter.py -f ./d/home/user/.bash_logout.encrypted
$> [*] Seed: 1447255617
python decrypter/decrypter.py -s 1447255617 -l sorted_list -e error_list

Output:

...
[FAILED] ./d/usr/share/doc/mlocate/README.encrypted
[OK] ./d/usr/share/doc/mlocate/TODO.Debian.encrypted
[OK] ./d/usr/share/doc/readline-common/changelog.Debian.gz.encrypted
[FAILED] ./d/usr/share/doc/readline-common/copyright.encrypted
[FAILED] ./d/usr/share/doc/readline-common/inputrc.arrows.encrypted
[OK] ./d/usr/share/java/libintl.jar.encrypted
[*] recovered 7572 files
[*] failed to recover (probably bad seed) 9424 files
[*] 36 corrupted (probably truncated) files

Handling failed/corrupted files

The example shows 9424 files that failed to recover. This is usually because the seed used for the failed files is different for some files due to time differences. You have to get the seed of the files that failed. This procedure might work to get those:

head -1 error_list 
$> ./d/home/README_FOR_DECRYPT.txt.encrypted
python decrypter/decrypter.py -f ./d/home/README_FOR_DECRYPT.txt.encrypted
$> [*] Seed: 1447255625
python decrypter/decrypter.py -s 1447255625 -l error_list -e error_list2

Output:

...
[FAILED] ./d/usr/share/doc/mlocate/changelog.gz.encrypted
[OK] ./d/usr/share/doc/mlocate/NEWS.gz.encrypted
[FAILED] ./d/usr/share/doc/mlocate/README.encrypted
[FAILED] ./d/usr/share/doc/readline-common/copyright.encrypted
[OK] ./d/usr/share/doc/readline-common/inputrc.arrows.encrypted
[*] recovered 5000 files
[*] failed to recover (probably bad seed) 4424 files
[*] 0 corrupted (probably truncated) files

Repeat the above steps to get the remaining 4424 failed files:

head -1 error_list2
$> ./d/root/test/size_10028.encrypted
python decrypter/decrypter.py -f ./d/root/test/size_10028.encrypted
$> [*] Seed: 1447255634
python decrypter/decrypter.py -s 1447255634 -l error_list2 -e error_list3

...
[OK] ./d/usr/share/doc/libsqlite3-0/changelog.html.gz.encrypted
[OK] ./d/usr/share/doc/linux-image-2.6.32-5-amd64/changelog.Debian.gz.encrypted
[OK] ./d/usr/share/doc/locales-all/copyright.encrypted
[OK] ./d/usr/share/doc/lsb-base/copyright.encrypted
[OK] ./d/usr/share/doc/mlocate/AUTHORS.encrypted
[OK] ./d/usr/share/doc/mlocate/changelog.gz.encrypted
[OK] ./d/usr/share/doc/mlocate/README.encrypted
[OK] ./d/usr/share/doc/readline-common/copyright.encrypted
[*] recovered 4424 files
[*] failed to recover (probably bad seed) 0 files
[*] 0 corrupted (probably truncated) files

DONE!

linux-ransomware-decrypter's People

Contributors

eugenekolo avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.