Only Under Certain Conditions "NanoLocker" Ransomware Can Be Cracked
An independent security researcher has found a flaw in the ransomware's operation and also created a file decrypter So, it's time for those people to celebrate whoever infected by the NanoLocker ransomware.
On January 12 2016, NanoLocker ransomware was first discovered by Symantec and is relatively a new ransomware. A few quirks are in the way of encryption operation that allows some victims to recover their files, and there's nothing special in its way of working.
A Canadian security researcher (@cyberclues) discovered this, who find out and said that there is a close resemblance between NanoLocker and older versions of the TeslaCrypt and AlphaCrypt ransomware families.
As he explains on his blog that,
NanoLocker works by encrypting files with an AES-256 key, which is stored inside a configuration file until the encryption process ends. When this happens, the encryption key is deleted from the config file, is obfuscated, then encrypted with an RSA public key, and lost forever until the user pays the ransom.
According to the researcher, encryption process has three phases, numbered from 1 to 3, and the number of each stage is embedded at the start of the configuration file.
Numbered 1 & 2 phase represents the ransomware's initialization and the encryption process respectively.
Numbered 3 phase represents that the encryption has already finished, and the original AES encryption key is already lost.
At any time "NanoLocker" malware can access original AES encryption key for using it in encryption operations because during the first two stages, it is store inside this config file.
When the ransomware is encrypting their data it is unrealistic that users should start searching for this config file, and then copy it to another location so they could have the AES encryption key before being encrypted again via RSA. When the user detects any sluggishness in their computer's performance while the CPU-intensive ransomware encryption process is going on, and they restart their PC or enter sleep mode, the ransomware stops the encryption process and leaves this configuration file in its current stage.
By this point, the ransomware has already encrypted some of the user's files. To unlock these files, the researcher created a decrypter, which could be download from GitHub (the source code) or Google Drive (already compiled).
Firstly you have to grab your configuration file, which usually resides at: %LOCALAPPDATA%\lansrv.ini
After that grab a compiled version of the NanoLocker Decrypter, open a Windows command prompt, navigate to the decrypter's folder, drop a copy of the configuration file in the same folder, and run a decryption operation with the following syntax:
NanoLocker_Decryptor.exe [encrypted_file] [output_file] configuration_file]
If the configuration file is in the first two stages, the decrypter will extract the AES key and then use it to decrypt the encrypted file and extract its content to the file mentioned in the [output_file] parameter.
There are some limitations too For starters, and you have to accidentally stop a ransomware's encryption operation via a PC restart or by forcing your PC in sleep mode.
Secondly, you'll be able to decrypt only one file at a time. If the ransomware has already encoded a few thousand files, then get ready to waste the next days of your life running Windows shell command. Or better yet, convince some of your coder friends to create a batch file to automate this process, and share it with the rest of us.