I found the database dump of the CryptoLocker release from May 30, 2015 by the ransomware’s author.  I decided to put it into a database and make a lame front-end for it to be queried against by either the bitcoin address or the public RSA key from the infected computer.

Hope it helps someone out there.



I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my
intention to release this.

I uploaded the database to mega.co.nz containing bitcoin address, public key, private key as CSV.
This is a dump of the complete database and most of the keys weren’t even used.
All distribution of new keys has been stopped.


Automatic decryption will start on 2nd of june at midnight.

@devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and
files are encrypted with AES-256 bit using the RijndaelManaged class.

This is the structure of the encrypted files:

– 32 bit integer, header length
– byte array, header (length is previous int)
*decrypt byte array using RSA & private key.

Decrypted byte array contains:
– 32 bit integer, IV length
– byte array, IV (length is in previous int)
– 32 bit integer, key length
– byte array, Key (length is in previous int)

– rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key

Again sorry for all the trouble.

Poka BrightMinds

~ V