CryptoLocker ransomware crooks offer "late payment penalty" option

Filed Under: Cryptography, Data loss, Featured, Malware, Ransomware

The crooks behind the CryptoLocker malware seem to have introduced a second chance option.

Victims, it seems, can now change their minds about not paying up.

Assume you were a victim of this devious malware, and decided, "No! I will not pay!"

Imagine that you've done a full cleanup; removed the malware from memory, hard disk and Windows registry; and gone to see what you can recover from your backup disks.

Now imagine that you are having malware cleaner's remorse.

Perhaps paying $300 would have been the pragmatic approach?

→ As we've been saying, our recommendation is not to pay up, but we also have to admit that it's easy for people who haven't had their favourite files scrambled to take that attitude.

Perhaps you had the malware for longer than you realised, and the backups you thought would help are scrambled?

Perhaps your infected computer had access to documents on a server at the office, and ruined other people's files, too?

In short, perhaps you'd like a chance to change your mind?

Enter the CryptoLocker Decryption Service:

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.

Select any encrypted file and click "Upload" button.

The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours.

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.

OR if you already know your order number, you may enter it into the form below.

Apparently the crooks will now let you buy back your key even if you didn't follow their original instructions.

Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind

The cost of is now 10 Bitcoins instead of the 2 Bitcoins they were after at the start - a sort of late payment penalty, like the taxation office imposes.

According to this latest website, you send them the first 1024 bytes of any encrypted file in order to determine your eligibilty for the new "service," and then wait up to 24 hours.

We're guessing that the delay is because the crooks have to run a brute force attack against themselves.

Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypting your data with every stored private key until they hit one that produces a plausible result.

They're not actually saying whether this new service works even if the 72 hour deadline imposed at the start has expired.

The implication, however, is that it will - not least because the 24-hour delay needed to process your "order" would otherwise reduce that deadline to 48 hours, cutting down their window for extortion substantially.

Furthermore, those 48 hours would have to include the time for you to clean up, find that you couldn't recover by more palatable means than the initial threat, change your mind, and contact the "second chance" website.

If so, the crooks' original claim was bogus all along:

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

Nobody and never, eh?

We're still saying, "Don't buy," but we're feeling your pain enough to know how tempting it will be for some people to pay the crooks, even though the blackmail charges have now ballooned to more than $2000.

In the meantime, if you've decided not to pay - or have escaped the depredations of these crooks so far - we urge you to check out our advice:

,

You might like

9 Responses to CryptoLocker ransomware crooks offer "late payment penalty" option

  1. Tamas Feher · 302 days ago

    Dear Sirs,

    I have some interesting feedback from a CryptoLocker malware affected
    hungarian sysadmin.

    [edited for brevity]

    The malware did not seek out and encrypt or overwrite these nominally deleted file chunks [Microsoft Office autosave files], so the sysadmin managed to regain about 90% of all affected Excel and Word docs.

    The recovery process took the lenght of the entire night and the orignal
    filenames were lost. However, the file sizes of plain-text and malware-encrypted documents differ only very little, so it is usually possible to match them based on filesize info and thus find out the original file name.

    • Jake · 301 days ago

      Don't tell anyone - they'll just add those file types to the next version!

  2. Sootie · 301 days ago

    Given that they do seem to be keeping every private key they have ever used surely there must be some white hat (ish) hacker who could break into their systems and steal that database and make it available to everyone.

    • Paul Ducklin · 301 days ago

      So far, it seems not.

      Interesting to hear from a lawyer what the legal system in various countries would say if you did break in and "steal back" the keys.

      AFAIK in the UK, you can offer as an excused for crime X the fact that you committed it to prevent crime Y, where Y > X.

    • Tamas Feher · 301 days ago

      I think the hackers are not that stupid. They probably keep the raw keys dump offline and the 24-48 hrs time delay in delivery allow them to move requests in-out of the net-facing server.

  3. Shey · 301 days ago

    There's a website to purchase the key and no one can take this down? This is really unbelievable.

    • Jeremy · 301 days ago

      Not one website. There seems to be a range of domains. Besides they can always create clones.

      • Shey · 301 days ago

        It's the same. It is easier to find this new website that to upload a new one. Besides datacenters and hosting providers should now start screening their clients and be more suspicious.

        One way or another there's a way to find these guys. Let's stop acting as if they can control us.

  4. Hundreds of billions spent for software to spy on its own people. Ibid, to spy on other countries' citizens. But a scant few millions catch cyber terrorists. How do you catch a crook?

    FOLLOW THE MONEY.

    Instead, we'll get excuses on how it's illegal for the government to pry into these financial affairs of our citizens and the world at large. Getting tired of the attitude that getting tough on IT terrorists may harm the huge security market and all the jobs it provides.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog