xor-decrypt

command module

v0.0.0-...-88e022b Latest Latest Go to latest Published: Oct 17, 2016 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

git.scc.kit.edu/heiko.reese/xor-decrypt

README ¶

Decryption Tool for XOR-Encryption

This tool was written to decrypt files affected by the NELocker ransomware, It generates a random key (usually 1024 bytes long) and encrypts files by XORing it with that key.

xor-decrypt is written in Google Go and runs nativly on Linux, Windows and macOS.

xor-decrypt has context-aware help, try this for more information:

xor-decrypt --help
xor-decrypt getkey --help
xor-decrypt decrypt --help

Step Zero: Download xor-decrypt

Releases are here

chmod +x the downloaded binary on Linux and macOS.

Optional: Remove suffix to match the examples.

Optional: Move binary into $PATH.

Step One: retrieve key

To compute the key, the user must have both an encrypted and the unencrypted version of the same file. Unencrypted versions can usually be found on external backup mediums (usb-sticks, cloud storage) or enterprise versioned file storage (CIFS shares with versioning).

Use the getkey subcommand to get the key simply (adapt all example commands to fit your environment):

xor-decrypt getkey file.docx file.docx.encrypted

The key is saved as key.dat.

Step Two: decrypt files

The decrypt subcommand decrypts all given files using key.dat generated in the first step.

To decrypt all affected files, combine this tool with your platform's “recursive magic utility”. Again, make sure to adapt these examples (especially the path and the matching pattern) to match your case.

Per default, decrypted files are named like the crypted original plus decrypted. foo.docx.crypted becomes foo.docx.crypted.decrypted. xor-decrypt decrypt has two options to add and remove suffixes. Use xor-decrypt decrypt -r .crypted to remove .crypted, thus restoring the original filenames. Use -a to add suffixes.

Windows (Powershell)

gci -Recurse -Path . -Filter *.crypted -File | %{.\xor-decrypt.exe decrypt $_.FullName}

Remove suffix:

gci -Recurse -Path . -Filter *.crypted -File | %{.\xor-decrypt.exe decrypt -r .crypted $_.FullName}

Linux and macOS

find . -type f -and -iname \*.crypted -print0 | xargs -0 -n64 ./xor-decrypt decrypt

Remove suffix:

find . -type f -and -iname \*.crypted -print0 | xargs -0 -n64 ./xor-decrypt decrypt -r .crypted

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

xor-decrypt.go

Directories ¶

Path	Synopsis
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL