Industry Perspectives Blog

DecryptCryptoLocker – A Success Story

About a month ago FireEye, in partnership with Fox-IT, released a free service to provide relief to CryptoLocker victims around the world. As early as September 2013, CryptoLocker started haunting computers of innocent computer users worldwide. The victims’ only mistake was innocuously clicking on a link in their email or browsing the Internet. The ransomware spread fast in UK, followed by the US, and then permeated the rest of the world.

A recent takedown named Operation Tovar helped bring down command and control infrastructure used by criminals to spread GameOver Zeus and its payload, cryptolocker. But taking down their servers was not enough. Thousands of victims were still left with infected systems and all their data held hostage. Even some of their backups and network shares were rendered useless. Some victims re-infected themselves, hoping to pay reduced amounts of ransom.

When the criminals accidentally gave us the keys, we realized this was an unprecedented opportunity to help give those victims with another chance to reclaim their digital property.

Since the introduction of this relief program, we have seen close to three thousand successful recoveries of ransomed data. Geographic distribution of the victims who used the service suggests most of them were within United States followed by United Kingdom, Canada, and Australia. The majority of these victims were using Windows operating systems with Chrome as their browser.


We received great responses from everyone ranging from CTOs, IT Directors, to home users. One office manager who was going to spend all weekend preparing for a Monday morning audit responded with:


A Support Manager from an IT service provider said:

“This is amazing. We had a client that got hit with this and ‘lost’ 17 years worth of data. I opted to keep the files and told them if there was ever a way to fix this, we’d have the data. I honestly never expected to recover the data.”

Cryptolocker’s multi-million monetary gains brought back a renewed interest in ransomware and it was followed by a plethora of imitators that started spreading and selling on black market. Decryptcryptolocker has helped in bringing back immeasurable amount of lost data back to people and hopefully enhanced user education.