A family of ransomware known as CryptoLocker has added the popular digital currency Bitcoin to the list of payment methods it accepts in exchange for the private key that will decrypt the files encrypted by the malware.

According to a blogpost penned by AlienVault researcher Alberto Ortega, Bitcoin joins online payment services Ukash, MoneyPak, and cashU as possible means of paying the roughly $300 ransom requested by CryptoLocker.

Ransomware is a type of malware that attempts extort money from it’s victims by encrypting their files or locking down their computer in some other way. The malware generally threatens that user files or the victim-machine itself will be inaccessible until the user pays the ransom. There is never any guarantee that paying these ransoms will recover anything. In many cases it is entirely possible that the files aren’t really encrypted or are completely unrecoverable. Paying such ransoms is not recommended. It is better to try to rid the malware using an antivirus product of some kind or by manually removing it from an infected machine.

While the move to accept the pseudo-anonymous crypto-currency in malware-ransom payments is certainly new, it also appears – in this specific case – to have not worked thus far. Ortega examined the transaction record of the Bitcoin address listed in the scammer’s malware interface, finding that scheme has yet to net the criminal a single Bitcoin. As Ortega points out, at present, Bitcoin is used almost exclusively by the technically savvy, who are far less likely to become infected with malware in the first place. However, two similar scams utilizing the same malware family but offering different Bitcoin addresses for payment have made modest profits. These transaction can be monitored on the Bitcoin wallet site, Blockchain.

Payments aside, the malware claims to encrypt photos, videos, documents, and more, even providing victims with a link to a full list of encrypted file-types. The malware creators claim to have deployed RSA-2048 encryption protected by a private key. The ransomware-interface also displays a countdown clock, warning users that if time elapses, the private decryption key will be deleted and there will be no way to recover the encrypted files.

bitcoin for ransomware

Bitcoin enthusiasts defend the crypto-currency as an easy to use, globally accepted method of buying and selling goods and services online. Unfortunately, Bitcoin is widely used by cyber- and traditional criminals as well. The digital currency offers a number of perks for criminal use, chief among those is the fact that the currency is decentralized. There is no central authority governing Bitcoin, and therefore, there is no way of freezing a Bitcoin account thought to be involved in criminal behavior. Bitcoin is also anonymous and difficult to track.

Earlier this month, the FBI seized and shutdown an underground cybercriminal marketplace known as the Silk Road. The shutdown demonstrated the extent to which users can purchase illegal drugs, weapons, and hacking tools using Bitcoin and money transfer services.

It’s difficult to operate a multi-billion dollar operation like the Silk Road using only Bitcoin though. As Kaspersky Lab principle security researcher Kurt Baumgarnter explained in recent Threatpost interview shortly after the Silk Road takedown, much of the value attributed to Bitcoins is reliant on an emerging industry of overseas currency exchangers that will essentially pay cash for Bitcoins at a discounted rate or – depending on how you look at it – exchange cash for Bitcoins for a fee.

Categories: Malware

Comments (8)

  1. Brad
    1

    So, you mention that “the malware claims encrypt photos, videos, documents, and more”.

    My IT Shop has seen 6 instances of this, and each time it encrypts ALL of those, including networked drives. So if your client has a share drive where they stored all of their documents, kiss that goodbye. Outside of having to pay for the key, backups are the key. While the ransomware is easy to remove, it’s encrypting effects are not. We advise all clients to have up to date backups just in case they get hit with this.

  2. Paul beddows
    2

    And back it up on a removable drive you do not leave connected to the machine, and do a recovery from a boot disk preferably, not from windows.

  3. westcott
    3

    I have not seen any comment on law enforcement regarding Cryptolocker or other ransomware. Is there anything that law enforcement does or can do to stop these schemes, or is the internet like the Wild West?

  4. Naser
    4

    I have an infected PC with all documents, PDF, XSL, con not be opened, what is the solution, the virus infected my images and destruct and infected all files on my network as well,

  5. Brad
    5

    Naser,

    Cryptolocker does not destroy the files, it ENCRYPTS them, the only way to get back to working order is to restore from backups or pay the raonsom they are asking for.

  6. Naser
    7

    is there a way to reach those people, the have infected network backups, as well as images were corrupted, could not be found

  7. Brad
    8

    No – the only way to get the files back now is to follow the on screen instructions, if you removed the virus and the background that it leaves, then you are SOL, they give you a direct link on the background image to redownload the virus so that you can have the ability to follow their directions to get things decrypted.

Comments are closed.