Feeds

Late with your ransom payment? Never mind, CryptoLocker crooks will, er, give you a break

Ransomware hoodlums let you settle your bill later... for a price

High performance access to file storage

Crybercrooks behind the infamous file-encrypting CryptoLocker ransomware have begun offering a late payment option, which costs victim five times as much to "buy" the decryption key necessary to unscramble their encrypted files.

Previously, victims who failed to pay a $300+ ransom (up to 2 Bitcoins, $460) within three days would lose the ability to ability to retrieve a private key necessary to retrieve the encrypted files. Crooks behind the scam deleted the key or at least no longer offered it for sale. Victims without recent backups would be stuffed.

Recently the cybercrooks behind the scam set up a “CryptoLocker Decryption Service”, hosted on one of the command-and-control server’s IP addresses, and hosted in the Ukraine, according to antivirus firm Malwarebytes. This online “service” page can also be accessed through the "anonymous" Tor network on a ".onion" address, a move designed to give the site a longer lifespan and protection against DNS sinkholes.

Victims can upload one of their encrypted files in order to find the corresponding private decryption key. Only encrypted files are accepted. When a match is found, a confirmation page is displayed, along with the demand for payment of 10 Bitcoins ($2,300). The development was first reported on the Bleeping Computer's forums last weekend.

Antivirus programs attempting to remove the infection from compromised machines remove the registry key that is required to pay the ransom and decrypt the files. It seems the crooks behind the scam have latched on a way to extort even more from such individuals as well as late payers in general.

The sophisticated miscreants behind the scam are going to some lengths to avoid detection by investigators looking to identify them by following the money trail.

"For each victim, a unique Bitcoin address (where the money will be sent) is generated," writes Jerome Segura, senior security researcher at Malwarebytes. "In fact, even if you upload the same encrypted file twice, you will receive a new Bitcoin address."

The new "service" offers decryption keys after a wait of up to 24 hours.

"We're guessing that the delay is because the crooks have to run a brute force attack against themselves," writes anti-virus veteran Paul Ducklin, in a post on Sophos's Naked Security blog. "Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypt your data with every stored private key until they hit one that produces a plausible result."

As previously reported, CryptoLocker is a particularly aggressive ransomware Trojan. It normally arrives in email as an executable file disguised as a PDF file, packed into a zip attachment.

For example, one Reg reader told us back in September that variants of the malware were spreading in the UK via email purporting to come from Companies House.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet.

If opened, the malware attempts to encrypt the user’s documents across both local and mapped network hard drives. The malware uses a key that is generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair.

The owner then receives a ransom demand, payable within 72 hours. Payment is made via either an anonymous pre-paid cash voucher or Bitcoin.

Victims were previously told encryption keys would be destroyed after a three-day deadline, leaving them no way to retrieve the files. "CryptoLocker is easier and cheaper to block than to heal," Malwarebytes' Segura advises. "Please exercise extreme caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver." ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.