Menu
CryptoLocker creators try to extort even more money from victims with new service

CryptoLocker creators try to extort even more money from victims with new service

Users who removed the original malware infection, intentionally or not, are asked to pay five times more to recover their files

The creators of CryptoLocker, a piece of malware that encrypts user data and holds it for ransom, are giving users who removed the malicious program from their computers a second chance to recover their files, but at a much higher cost.

CryptoLocker is a malicious program that falls into a category of malware called ransomware. Once installed on a computer, ransomware applications typically prevent victims from accessing their files or even their operating system until they pay money to the malware authors.

Security researchers generally advise users against giving into this kind of extortion and in many cases there is a way to regain access to everything without paying up.

However, CryptoLocker uses solid public-private key cryptography to encrypt files that match a long list of extensions, including documents, spreadsheets, images and even AutoCAD design files. According to researchers from antivirus firm Sophos, the malware's creators got the encryption process right and there's no method to get the decryption keys, which are unique for every computer and are stored on attackers' servers, without paying up.

After it infects a computer, CryptoLocker displays a message informing victims that if they don't pay the equivalent of US$300 or €300 in Bitcoins, a virtual currency, or via MoneyPak, a type of prepaid card, within 72 hours, the unique decryption key for the files will be automatically destroyed.

Users who regularly back up their data can clean their computers and restore the affected files from backups, but users who don't have backups should consider those files lost, the Sophos researchers said.

Some files might be recoverable using the Shadow Copy technology, which is is an integral part of the System Restore feature in Windows.

However, even users who have backups might realize that they're not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware.

It seems that the creators of CryptoLocker considered that possibility and realized that some users might have initially removed the malware, but then, for whatever reason, changed their mind about paying up. As a result, they've recently started offering an online decryption service that allow such users to still recover their files, but at a much higher price.

"Apparently the crooks will now let you buy back your key even if you didn't follow their original instructions," Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos, said Monday in a blog post. "Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind."

The cost of using the service is 10 Bitcoins -- around $2,300 at the current Bitcoin exchange rate -- and requires users to upload one of their encrypted files. The first 1024 bytes of the file will be used to search for the associated private key, a process that can take up to 24 hours.

"We're guessing that the delay is because the crooks have to run a brute force attack against themselves," Ducklin said. "Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypting your data with every stored private key until they hit one that produces a plausible result."

However it's not immediately clear whether using this service is still possible after the initial 72-hour deadline given by the malware. If it is, then the cybercriminals lied and the private keys are not being destroyed after that time period.

This decryption service might have also been created for users whose antivirus programs detected and deleted the malware after it encrypted the files, leaving them unable to buy the decryption key anymore.

"We're still saying, 'don't buy,' but we're feeling your pain enough to know how tempting it will be for some people to pay the crooks, even though the blackmail charges have now ballooned to more than $2,000," Ducklin said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags sophossecurityencryptionmalware

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments