FilesLocker is a Ransomware as a Service (RaaS) where the developer offers the ransomware executable to "affiliates". These affiliates will then distribute the ransomware and split the revenue from ransom payments with the ransomware developer.
On December 29th, an unknown user released the master RSA decryption key for FilesLocker v1 and v2. This allowed Michael Gillespie to release a decryptor for files encrypted by the FilesLocker Ransomware that have the .[firstname.lastname@example.org] extension appended to file names.
In order to decrypt this ransomware, you need to have a copy of the ransom note as it contains your encrypted decryption key.
Once you have located a ransom note for the infected computer you can use the instructions below to decrypt your files.
To decrypt a FilesLocker Ransomware v1 or v2 variant you can download the FilesLockerDecryptor from the link below.
Once downloaded, double-click on the executable to start the decryptor and you will be greeted with the main screen.
We now need to load the ransom note that contains your encrypted decryption key by clicking on Settings and then Load Ransom Note as shown below. It will then prompt you to select a ransom note, which can be found on the Desktop. The names of the ransom notes are #DECRYPT MY FILES#.TXT, #解密我的文件#.TXT, or #РАСШИФРОВЫВАТЬ МОИ ФАЙЛЫ#.TXT.
Once you have selected the ransom note, the key will be loaded into the decryptor.
Now click on the Select Directory button and select the drive you would like to decrypt, such as the C:\ drive. Once you select a drive, the Decrypt button will become available.
Now click on the Decrypt button to begin decrypting the selected folder/drive. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in the window.
When it has finished, the decryptor will display a summary of the amount of files that have been decrypted. If some of the files were skipped it may be due to permissions configured on those files.
Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.
You can now close the decryptor and use your computer as normal. If you need help using this decryptor, feel free to leave a comment.