Crypt0L0cke Virüsü Bulaştı yardım.

To resolve the encryption of files, there is nothing we can do due to the type of encryption used.
This malware uses a domain generator. This generator creates the domain based on the date and generates up to 1000 different domains each day. It tries to connect to each one until it actually connects to one of them. When it succeeds, it downloads a public RSA key from the command and control server (C&C) which will be the RSA key it will use for ciphering. The author is the only one who owns the private key associated to this public key, which is required to decrypt the encrypted samples.

The ciphering is done with RSA and at any moment the author is the only one who owns the private key, so once the files are encrypted, it is impossible to recover them without this private key.

Once the ransomware downloads the public key, it begins to go over the file system encrypting all the files it finds with the following extensions:
*.odt *.ods *.odp *.odm *.odc *.odb
*.wps *.xls *.xlsx *.xlsm *.xlsb *.xlk
*.ppt *.pptx *.pptm *.mdb *.accdb *.pst
*.dwg *.dxf *.dxg *.wpd *.rtf *.wb2
*.mdf *.dbf *.psd *.pdd *.eps *.ai
*.indd *.cdr *.doc ????????.jpe *.jpg *.dng
*.3fr *.arw *.srf *.sr2 *.bay *.crw
*.cr2 *.dcr *.kdc *.erf *.mef *.mrw
*.nef *.nrw *.orf *.raf *.raw *.rwl
*.rw2 *.r3d *.ptx *.pef *.srw *.x3f
*.der *.cer *.crt *.pem *.pfx *.p12
*.p7b *.p7c *.docx *.docm

It saves the path of each encrypted file in the following registry key:
HKEY_CURRENT_USER\Software\CryptoLocker\Files
It saves the ciphering public key in:
HKEY_CURRENT_USER\Software\CryptoLocker\Public Key
The ransomware is installed in the Run key so as to be automatically run on each reboot:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \CryptoLocker

As we mentioned before, it is impossible to recover the files once they have been encrypted, as a safe ciphering as RSA with a strong enough key is used. The use of data recovering tools is not possible either, because the original file is overwritten with the ciphered data, so the disk sectors with the original data are also overwritten.