How to Decrypt Cryptorbit Files (HowDecrypt)
Cryptorbit or HowDecrypt is a ransomware trojan, which targets computers running Windows operating system. Cryptorbit was first seen in January 2014. Here we will try to explain how to decrypt Cryptorbit files.
When activated, Cryptorbit encrypts certain types of files stored on your local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers and leaves Howtocrypt ransom files. The malware then displays a ransom message which offers to decrypt the data if a payment is made by a stated deadline, and threatens to delete the private key if the deadline passes. The payment should be made either through Bitcoins or other untraceable virtual money or some widely used pre-paid vouchers – of course, Cyber Criminals are heavily depending on the anonymity, so the payment methods should be untraceable. Cryptorbit will scan your files and encrypt them regardless of the file type. It will also create a HowDecrypt.txt and a HowDecrypt.gif in every folder that a file was encrypted.
CryptorBit does not actually encrypt the file. What it does is that it corrupts the header of the file by replacing the first 512 bytes. The infection copy the original file header encrypts it and stores it at the end of the file. Then it will create a different 512-byte header and replaces the original. Once this process is completed, a program that would try to open the file will read the unknown header and it won`t be able to open it. Thanks to the guys from BleepingComputer.com, there is a way to recover your corrupted files, or at least most of them. (*PLEASE DO NOT ATTEMPT TO DECRYPT YOUR FILES BEFORE REMOVING THE ACTUAL INFECTION)
If you notice that you are infected, we at MalwareKillers.com recommend you to download SpyHunter Malware Security Suite from our web page: http://www.malwarekillers.com/download-page/ in order to automatically remove the active infection. However, be advised that even when the infection has been removed successfully, your files will still be encrypted. Once you get rid of Cryptorbit (learn how to in our article HERE), you can try to recover your files using the methods presented below:
How to Recover Files Encrypted by Cryptorbit:
You can try to restore your files from a system backup. If a backup is not available, then you can attempt to recover your files using the Shadow Copy Service. Since Windows XP Service Pack 2 there is an implemented feature called Shadow Copy Service that, if enabled, will automatically create backup copies of your files.
1. How to restore files using the Shadow Copy Service:
Using native Windows Previous Versions:
*Be advised that the Windows System Protection option must have been enabled prior to the infection for this method to work.
1. Right click on the corrupted file and select Properties from the drop-down menu;
2. Go to “Previous Version” tab (If the tab is missing then it means that Windows System Protection option hasn`t been enabled);
3. Choose the latest previous version copy and click on the Copy button, then select the directory you wish to restore the file to. If prefer to restore the selected file directly, click on the Restore button.
This method can be used to restore an entire folder as well. Right-click on the selected folder and choose Properties and then Previous Versions tab.
Using Shadow Explorer:
You can also use a program called Shadow Explorer to restore entire folders. You can download the program from the following link: http://www.shadowexplorer.com/downloads.html
When you download and run the program, you will see, on the left side, a list of your available drives. Next, to it, you will see the dates that a shadow copy was created. You can select the drive and the date that you wish to restore from.
Using Archive Software
(Suggestion by BleepingComputer Forum Member: zlia) Original post here
He suggests the use of archive software, which can open XSLX and DOCX files and allow you to modify the content. He used 7-zip. This is small, free and easy to use archive software. You can download 7-zip from here: http://www.7-zip.org/.
To recover an excel or word file with 7-zip:
- 1. Open 7-zip and navigate to the XLSX file that you need to recover.
- 2. Right-click and select 7-zip > open archive -> the contents of the file will be opened in a new window. There should be 3 folders and one XML file.
- 3. Find and copy an existing uninfected XLSX file to the desktop. It`s very important that the file you are copying has been in use and has been formatted in some way. If you use a new excel file for the steps below, some of the information may not be recovered.
- 4. Open the main 7-zip window (the one with the file tree) and navigate to the CLEAN excel file (the one that you just copied to the desktop), then right-click and select 7-zip > open archive
- 5. A new 7-zip window will open showing the 3 folders and the single XML file for the CLEAN excel file. Arrange the 7-zip windows for the encrypted file and the CLEAN excel file side by side (it is easier this way), select the 3 folders within the CLEAN excel file and delete them
- 6. Select the 3 folders from the encrypted excel file and drag&drop them in the 7-zip window for the CLEAN excel file.
- 7. Close both 7-zip windows and open the CLEAN excel file. Excel might show a warning message saying that it found unreadable content in the file that you are trying to open, and will ask you if you want to recover the contents of the workbook -> click yes.
- 8. You should have your original file back in working order.
If these methods do not help you, there is still hope! The BleepingComputer.com member Nathan Scott, (nickname: DecrypterFixer), has developed a program that will allow you to recover JPG, PST, MP3, PDF, DOC, and XLS documents that have been encrypted by Cryptorbit called DecrypterFixer’s tools.
2. How to recover files encrypted by Cryptorbit using the DecrypterFixer’s Tools:
Nathan Scott`s tools can repair different types of files encrypted by Cryptorbit. Currently, you can recover corrupted PST, JPG, PDF, MP3, DOC, and XLS files. In order to use the tools, you must have Microsoft Net Framework 4.0 or higher installed on your computer.
- 1. To repair your files, you will have to download the Anti-CryptorBitV2.exe tool from the link: http://download.bleepingcomputer.com/cryptorbit/Anti-CryptorBitV2.zip;
- 2. Run the Anti-CryptorBit.exe program;
- 3. Choose a recovery method to run, and follow the instructions.
To successfully remove and learn more about Cryptorbit or HowDecrypt ransomware, please read our article HERE.
To successfully remove and learn more about the newest ransomware called CryptoDefense, please read our article HERE.
To learn how to decrypt files encrypted by CryptoDefense, please read our article HERE.