CryptoLocker victims offered free key to unlock ransomed files
Security researchers have released a tool that allows victims of the infamous CryptoLocker ransomware to unlock their computers at no charge.
DecryptoLocker from net security firm FireEye and threat intelligence company FoxIT offers a cure for the estimated 500,000 victims of CryptoLocker.
Victims need to upload a CryptoLocker-encrypted file onto the DecryptCryptoLocker portal in order to get the private keys necessary to decrypt files, as explained in a blog post by FireEye.
A FireEye spokesman told El Reg that a cache of private keys obtained from a commandeered command and control server was used to develop the decryption utility. That means CryptoLocker’s encryption scheme remains unbroken, which, since it is based on best practices in cryptography otherwise used to protect e-commerce and privacy more generally, is actually a good thing.
The release of the decryption service comes around two months after a high profile FBI-led takedown operation against command nodes linked to CryptoLocker and Gameover ZeuS, a banking Trojan that also served as a conduit for the distribution of CryptoLocker.
At the time, the UK’s National Crime Agency said that UK businesses and the public had a “two-week opportunity to rid and safeguard themselves” from Gameover ZeuS and CryptoLocker.
CryptoLocker first surfaced in September 2013, with P2P ZeuS (aka Gameover ZeuS) malware quickly emerging as the main distribution method. The ransomware encrypting important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files.
CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on the server side of CryptoLocker.
About 545,000 computers worldwide, around half in the US, have been infected with CryptoLocker between September 2013 and May 2014. Victims have been bilked of $27m (£16m) as a result of the malware, according to FBI estimates from June. In the end, 1.3 per cent of victims paid a CryptoLocker ransom, therefore, a large amount of victims likely permanently lost files due to this attack, according to Fox-IT.
Hopes that this takedown would kill off CryptoLocker have been dashed. CryptoLocker has evolved and once again started to compromise user devices, FireEye warns. This finding is backed up by third-party research over recent weeks from the likes of Sophos (here) and Seculert (here).
As well as releasing the decryption tool, FireEye and FoxIT also marked the opening of the Black Hat security conference in Las Vegas by unveiling new research into the origins and spread of CryptoLocker.
It’s a CERT
In related security research news, CERT-UK coincidentally released its first quarterly report on Tuesday. The update from the UK’s National Computer Emergency Response Team, which is in charge of co-ordinating cyber security incident response, focuses on threats such as the CrtyptoLocker/Gameover ZeuS takedown, the Heartbleed Open SSL bug and progress in rolling out the Cyber-security Information Sharing Partnership, which 500 firms had signed up to since its launch in June 2013. Malware-related incidents accounted for more than 25 per cent of all incidents handled by CERT-UK, the round-up adds.
The full 20-page report, which also features a case study on the handling of a recent IE zero-day, can be found here (PDF). ®