To help users recover files encrypted by ZeroLocker ransomware, Vinsula has developed a free utility that allows recovery of encrypted files within a reasonable timeframe.
Please note that our utility targets only ZeroLocker, which, in the samples we have seen, displays the following warning on a compromised system:
The recovery utility we have developed is a Windows console application that scans a single encrypted executable to uncover the encryption key. The operation uses a brute-force method and is CPU-bound (compute-bound). In our tests, the utility typically takes less than a day to find an encryption key, but in a worst-case scenario it could take up to 5 weeks. The utility can brute force an encrypted binary executable on either an infected machine or on a different, dedicated machine. The faster the machine (more CPU cores), the faster the brute force process takes to resolve the encryption key.
No Internet connection is required for the process to run and scan for the encryption key. The utility doesn’t have any external dependencies. For the brute forcing option the tool needs only to have access to a single encrypted binary executable.
***Although we have done our best to provide a free utility to help users affected by ZeroLocker, the tool is provided “as is” and without warranty or guarantee of any kind.***
The utility provides two command line options
1) Brute force a single encrypted binary executable to resolve the encryption key. For more details see option command line option “-bruteforce”
2) Once the key has been resolved, decrypt all encrypted user files. For further details see option “- decrypt”
Instructions for running the utility:
1) Make sure .NET Framework 4 is installed. If not, a download executable is available at
2) Launch the utility using an administrator’s elevated command prompt.
3) To view all commands, execute the utility with no arguments.
4) Execute the utility using the “-bruteforce” command-line option to start key discovery process.
For this option, we recommend brute forcing “C:\Boot\memtest.exe.encrypt” binary file. This file seems to be encrypted in most cases. If the file “C:\Boot\memtest.exe.encrypt” cannot be found, please search for another executable that has been encrypted using the “*.exe.encrypt” search pattern.
This is sample command line that resolves the encryption key by brute forcing “C:\Boot\memtest.exe.encrypt” file and storing the result key into key.txt file:
5) The following screenshot shows an active brute force session for resolving the encryption key. Progress and elapsed time are updated as the utility cycles through combinations to find the encryption key:
Here is a sample output of the report file key.txt where the encryption key gets stored in plain text.
6) After the utility finds the encryption key, use the utility to decrypt files. For details on this, run the utility with the “-decrypt” option. Following command will decrypt all files on the local C:\ disk.
-decrypt:c:\ -key:[ENTER KEY VALUE]
Notice that if un-encrypted version of a file already exists, the utility won’t overwrite it. Also the utility DOES NOT DELETE the encrypted version of the files, so the user may need to go and manually delete the encrypted files using Agent Ransack search utility (available here http://www.mythicsoft.com/agentransack) by searching and deleting all files that have suffix “.encrypt”.
For any questions please contact us at firstname.lastname@example.org.