Feeds

Late with your ransom payment? Never mind, CryptoLocker crooks will, er, give you a break

Ransomware hoodlums let you settle your bill later... for a price

Secure remote control for conventional and virtual desktops

Crybercrooks behind the infamous file-encrypting CryptoLocker ransomware have begun offering a late payment option, which costs victim five times as much to "buy" the decryption key necessary to unscramble their encrypted files.

Previously, victims who failed to pay a $300+ ransom (up to 2 Bitcoins, $460) within three days would lose the ability to ability to retrieve a private key necessary to retrieve the encrypted files. Crooks behind the scam deleted the key or at least no longer offered it for sale. Victims without recent backups would be stuffed.

Recently the cybercrooks behind the scam set up a “CryptoLocker Decryption Service”, hosted on one of the command-and-control server’s IP addresses, and hosted in the Ukraine, according to antivirus firm Malwarebytes. This online “service” page can also be accessed through the "anonymous" Tor network on a ".onion" address, a move designed to give the site a longer lifespan and protection against DNS sinkholes.

Victims can upload one of their encrypted files in order to find the corresponding private decryption key. Only encrypted files are accepted. When a match is found, a confirmation page is displayed, along with the demand for payment of 10 Bitcoins ($2,300). The development was first reported on the Bleeping Computer's forums last weekend.

Antivirus programs attempting to remove the infection from compromised machines remove the registry key that is required to pay the ransom and decrypt the files. It seems the crooks behind the scam have latched on a way to extort even more from such individuals as well as late payers in general.

The sophisticated miscreants behind the scam are going to some lengths to avoid detection by investigators looking to identify them by following the money trail.

"For each victim, a unique Bitcoin address (where the money will be sent) is generated," writes Jerome Segura, senior security researcher at Malwarebytes. "In fact, even if you upload the same encrypted file twice, you will receive a new Bitcoin address."

The new "service" offers decryption keys after a wait of up to 24 hours.

"We're guessing that the delay is because the crooks have to run a brute force attack against themselves," writes anti-virus veteran Paul Ducklin, in a post on Sophos's Naked Security blog. "Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypt your data with every stored private key until they hit one that produces a plausible result."

As previously reported, CryptoLocker is a particularly aggressive ransomware Trojan. It normally arrives in email as an executable file disguised as a PDF file, packed into a zip attachment.

For example, one Reg reader told us back in September that variants of the malware were spreading in the UK via email purporting to come from Companies House.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet.

If opened, the malware attempts to encrypt the user’s documents across both local and mapped network hard drives. The malware uses a key that is generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair.

The owner then receives a ransom demand, payable within 72 hours. Payment is made via either an anonymous pre-paid cash voucher or Bitcoin.

Victims were previously told encryption keys would be destroyed after a three-day deadline, leaving them no way to retrieve the files. "CryptoLocker is easier and cheaper to block than to heal," Malwarebytes' Segura advises. "Please exercise extreme caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver." ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.