Not all victims can decrypt their files, only the lucky few. Some of the people infected with the NanoLocker ransomware may have a reason to celebrate after an independent security researcher found a flaw in the ransomware’s operation and created a file decrypter based on his research.
NanoLocker is a relatively new ransomware variant, first discovered by Symantec on January 12, 2016. There’s nothing special in the way it works, but a few quirks in how the encryption operation is carried out may allow some victims to recover their files.
The discovery was made by a Canadian security researcher (@cyberclues), who discovered a close resemblance between NanoLocker and older versions of the TeslaCrypt and AlphaCrypt ransomware families.
The flaw in NanoLocker’s operations
As he explains on his blog, NanoLocker works by encrypting files with an AES-256 key, which is stored inside a configuration file until the encryption process ends. When this happens, the encryption key is deleted from the config file, is obfuscated, then encrypted with an RSA public key, and lost forever until the user pays the ransom.
The researcher discovered that the encryption process goes through three phases, numbered from 1 to 3, and the number of each stage is embedded at the start of the configuration file.
While phase 3 means the encryption has already finished and the original AES encryption key is already lost, he first two stages represent the ransomware’s initialization and the encryption process.
During these first two stages, the original AES encryption key is actually stored inside this config file, so the malware can access it at any time and use it for the encryption operations.
A PC restart now and then may save your files from NanoLocker ransomware
It is unrealistic that users should start searching for this config file while the ransomware starts encrypting their files, and then copy it to another location so they could have the AES encryption key before being encrypted again via RSA.
What the researcher discovered is that if a user detects any sluggishness in his computer’s performance while the CPU-intensive ransomware encryption process is going on, and the user restarts his PC or enters sleep mode, the ransomware stops the encryption process, and leaves this configuration file in its current stage (usually phase 2).
By this point, the ransomware has already encrypted some of the user’s files. To unlock these files, the researcher has created a decrypter, which can be downloaded from GitHub(the source code), or from Google Drive (already compiled).
Get ready to waste your time decrypting one file at a time
The first thing you need to do is to grab your configuration file, which usually resides at:%LOCALAPPDATA%\lansrv.ini
Now grab a compiled version of the NanoLocker Decrypter, open a Windows command prompt, navigate to the decrypter’s folder, drop a copy of the configuration file in the same folder, and run a decryption operation with the following syntax:
If the configuration file is in the first two stages, the decrypter will extract the AES key and then use it to decrypt the encrypted file, extract its content to the file mentioned in the [output_file] parameter.
Obviously, there are some limitations. For starters, you need to be lucky enough to have accidentally stopped a ransomware’s encryption operation via a PC restart or by forcing your PC in sleep mode.
Secondly, you’ll be able to decrypt only one file at a time. If the ransomware already encoded a few thousand files, then get ready to waste the next days of your life running Windows shell command. Or better yet, convince some of your coder friends to create a batch file to automate this process, and share it with the rest of us.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
