Cryptolocker crooks offer victims a second chance
Posted on 04.11.2013
The criminals behind Cryptolocker, the destructive ransomware that has lately been targeting mostly US and UK PC users, are trying to earn more money by offering users who have initially decided not to pay to have their files decrypted a chance to change their mind.

As you might remember, Cryptolocker is aimed at organisations instead of home users, as it encrypts files most likely to be crucial for organisations such as office files, digital certificate files, AutoCAD files, etc, and the email campaigns delivering it support that theory.

"For each file matching one of these patterns, the malware will generate a new 256 bit AES key. This key will then be used to encrypt the content of the file using the AES algorithm," the researchers explained when the malware was first discovered.

"The AES key is then encrypted using the unique RSA public key obtained earlier. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry key. This key is later used by the malware to present the list of encrypted files to the user and to speed up decryption."

Unfortunately for the users, the RSA public key created for their system is only known to the attackers, as it’s stored on the C&C server the malware uploaded it to, and the users are asked to pay 300 dollars/euros (or 2 Bitcoins) in order to receive it. The offer usually stands for 72 hours, after which, the crooks claim, the key is deleted forever.

But, according to Paul Ducklin, that might have been an empty threat, as the crooks have now set up a CryptoLocker Decryption Service where the victims can upload one of its encrypted files and wait for the criminals to notify them if their key can be found. If it can, the user will have to pay an even greater price: 10 Bitcoins (currently around $2,220).

Whether this “service” actually works, and whether the crooks will send the key in case the victim decided to pays is unknown. The best mitigation against the adverse effects Cryptolocker and ransomware in general can have on your computer is still to regularly update your critical files.


How security pros deal with cybercrime extortion

1 in 3 security professionals recommend negotiating with cybercriminals for the return of stolen data or the restoration of encrypted files. 86% of security professionals believed their peers at other organizations have brokered deals with cybercriminals.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Apr 1st