This tool was written to decrypt files affected by the NELocker ransomware, It generates a random key
(usually 1024 bytes long) and encrypts files by XORing it with that key.
xor-decrypt is written in Google Go and runs nativly on Linux, Windows and macOS.
xor-decrypt has context-aware help, try this for more information:
xor-decrypt --help
xor-decrypt getkey --help
xor-decrypt decrypt --help
Step Zero: Download xor-decrypt
Releases are here
chmod +x
the downloaded binary on Linux and macOS.
Optional: Remove suffix to match the examples.
Optional: Move binary into $PATH
.
Step One: retrieve key
To compute the key, the user must have both an encrypted and the unencrypted version of the same file.
Unencrypted versions can usually be found on external backup mediums (usb-sticks, cloud storage) or
enterprise versioned file storage (CIFS shares with versioning).
Use the getkey
subcommand to get the key simply (adapt all example commands to fit your environment):
xor-decrypt getkey file.docx file.docx.encrypted
The key is saved as key.dat
.
Step Two: decrypt files
The decrypt
subcommand decrypts all given files using key.dat
generated in the first step.
To decrypt all affected files, combine this tool with your platform's “recursive magic utility”. Again, make
sure to adapt these examples (especially the path and the matching pattern) to match your case.
Per default, decrypted files are named like the crypted original plus decrypted
.
foo.docx.crypted
becomes foo.docx.crypted.decrypted
. xor-decrypt decrypt
has two
options to add and remove suffixes. Use xor-decrypt decrypt -r .crypted
to remove .crypted
,
thus restoring the original filenames. Use -a
to add suffixes.
Windows (Powershell)
gci -Recurse -Path . -Filter *.crypted -File | %{.\xor-decrypt.exe decrypt $_.FullName}
Remove suffix:
gci -Recurse -Path . -Filter *.crypted -File | %{.\xor-decrypt.exe decrypt -r .crypted $_.FullName}
Linux and macOS
find . -type f -and -iname \*.crypted -print0 | xargs -0 -n64 ./xor-decrypt decrypt
Remove suffix:
find . -type f -and -iname \*.crypted -print0 | xargs -0 -n64 ./xor-decrypt decrypt -r .crypted