Update: Computers infected by the Locker crypto-ransomware were today decrypted as promised by the malware’s author, who last week posted the decryption keys to an upload site and apologized for releasing the malware.
Lawrence Abrams of Bleeping Computer said the infected computers were decrypted for free. A post to Bleeping Computer said that the author’s decryption command only works on computers that are still infected. Any machines that have removed the malware can use a tool posted to the site over the weekend to decrypt their files.
A database containing the Bitcoin address where payments were to be made along with public and private keys, was uploaded over the weekend to mega.co.nz in a CSV file, a post to Pastebin from the alleged author says. Details on the structure of the encrypted files were also provided.
“This is a dump of the complete database and most of the keys weren’t even used,” the post says. “All distribution of new keys has been stopped.”
The post also promised that automatic decryption of any infected computers was to begin at midnight today.
KnowBe4 CEO Stu Sjouwerman speculated in a blogpost that either the author has made enough money with this campaign, is close to being caught be law enforcement, or is under pressure from rival criminals.
KnowBe4 said Locker lie dormant on compromised machines until midnight May 25 when it started to infect machines and encrypt files, behaving similarly to CryptoLocker. The Locker malware was spread via malvertising campaigns redirecting users to exploit kits, and possibly a compromised Minecraft installer, the company said.
Locker targets Windows machines and targets a slew of file types, including .doc, .docx, .xlsx, .ppt, .wmdb, .ai, .jpg, .psd, .nef, .odf, .raw, .pem, .rtf, .raf, .dbf, .header, .wmdb, .odb, .dbf. KnowBe4 said Locker does not change the file extension on encrypted files, and users will see error messages as they try to open the files.
Unlike other ransomware strains charging upwards of $500 or more to decrypt files, Locker was seeking 0.1 Bitcoin, around $30USD. None of the victims, however, have been refunded, KnowBe4 said.
“If you build code like this, you know very well what you are doing. The fact it was built as a ‘sleeper’ shows months-long careful planning,” Sjouwerman said. “The other point is that if he would really have genuine remorse, everyone would get refunded which does not seem to have happened. It is also not clear if current infection vectors have been turned off or not.”
Sjouwerman said this could be the author’s first foray into malware development.
“What we can assume is that he is a talented coder but not an experienced cyber criminal because a foul-up like this would never have happened with professional Eastern European organized cybercrime,” Sjouwerman said. “He may have worked as a developer for one of these gangs and decided to start his own outfit which backfired.”