2

This is my first post! Here's the thing. CryptoDefense (Cryptolocker's competitor) swept the Internet at the end of February this year. Since it generates text files in all folders it encrypts, I even planned of using the first text file's timestamp to brute-force its PRNG to generate keys and within a computationally manageable time.

What happens now is that I recently discovered its private RSA key is stored on Windows Key Store and I am able to see its first characters. The remaining seem to be protected via DPAPI (Microsoft's Data Protection API). My questions are: How do I decrypt DPAPI? And, the other is: Is there a way to rebuild the private key with this information?

user3462249
  • 21
  • 4
  • It makes no sense for the RSA private key to ever be on the client. If that's really true, its authors were amazingly incompetent. – CodesInChaos Mar 26 '14 at 17:26
  • It seems they are! I couldn't believe it either! All I need now is to decode its content via DPAPI. It's stored on: \AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21... – user3462249 Mar 26 '14 at 21:47
  • This question appears to be off-topic because it is about cryptography. You might be able to receive help by flagging this post and requesting a migration to [Crypto.SE](http://crypto.stackexchange.com). – esqew Jul 21 '14 at 15:33

1 Answers1

0

This can be done (with some work) using dpapick, a Python tool for offline decryption of DPAPI data. You will need the user's password, but the rest will be done for you. Certificate handling has been added in v0.3. This assumes no extra "salt" (extra secret) has been added by the malware, but as it seems to be an accidental feature, I suspect this is not the case...

Henno Brandsma
  • 2,116
  • 11
  • 12