CryptoLocker Database Search

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

I found the database dump of the CryptoLocker release from May 30, 2015 by the ransomware’s author.  I decided to put it into a database and make a lame front-end for it to be queried against by either the bitcoin address or the public RSA key from the infected computer.
Hope it helps someone out there.
https://techish.net/locker/

Hi,
I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my
intention to release this.
I uploaded the database to mega.co.nz containing bitcoin address, public key, private key as CSV.
This is a dump of the complete database and most of the keys weren’t even used.
All distribution of new keys has been stopped.
https://mega.co.nz/#!W85whbSb!kAb-5VS1Gf20zYziUOgMOaYWDsI87o4QHJBqJiOW6Z4
Automatic decryption will start on 2nd of june at midnight.
@devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and
files are encrypted with AES-256 bit using the RijndaelManaged class.
This is the structure of the encrypted files:

  • 32 bit integer, header length
  • byte array, header (length is previous int)

*decrypt byte array using RSA & private key.
Decrypted byte array contains:

  • 32 bit integer, IV length
  • byte array, IV (length is in previous int)
  • 32 bit integer, key length
  • byte array, Key (length is in previous int)
  • rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key

Again sorry for all the trouble.
Poka BrightMinds
~ V