Locker Decrypter – Python tool to decrypt files encrypted by Locker malware.

Locker is probably one of the worst malware which exists as of today. It is variant of Cryptolocker family of malware, and so called ransomware, which encrypts victim’s important files (such as photos and documents) based on file extension.
you might be aware the private key is used in the RSACryptoServiceProvider class .net and files are encrypted with AES-256 bit using the RijndaelManaged class.
This is the structure of the encrypted files:
– 32 bit integer, header length
– byte array, header (length is previous int)

*decrypt byte array using RSA & private key.
Decrypted byte array contains:
– 32 bit integer, IV length
– byte array, IV (length is in previous int)
– 32 bit integer, key length
– byte array, Key (length is in previous int)

This tool requires Python 2 (tested with 2.7, Python 3 does not work as someone would need to port the
+ untangle
+ pycrypto

How to decrypt my files with infected locker Malware:
First you have to dig either RSA public key or Bitcoin address from vitcim’s computer. The files containing relevant information typically reside in C:\ProgramData\rkcl directory.
+ data.aa0 – Contains list of encrypted files
+ data.aa6 – Contains the bitcoin address
+ data.aa7 – Contains the public key
Use either RSA public key or Bitcoin address to find the private key from the csv-file referred above and to save it to file private_key.xml:
Then run the tool in a directory where you want to decrypt your files:
The tool automatically tries to determine which of the files were actually encrypted and which were not. ( Added Rijndael reference implementation and class to implement cryptoblock-chain) Script: Script : (Added Rijndael reference implementation and class to implement crypto-block-chain) SCript:

Source :