Feeds

Late with your ransom payment? Never mind, CryptoLocker crooks will, er, give you a break

Ransomware hoodlums let you settle your bill later... for a price

Seven Steps to Software Security

Crybercrooks behind the infamous file-encrypting CryptoLocker ransomware have begun offering a late payment option, which costs victim five times as much to "buy" the decryption key necessary to unscramble their encrypted files.

Previously, victims who failed to pay a $300+ ransom (up to 2 Bitcoins, $460) within three days would lose the ability to ability to retrieve a private key necessary to retrieve the encrypted files. Crooks behind the scam deleted the key or at least no longer offered it for sale. Victims without recent backups would be stuffed.

Recently the cybercrooks behind the scam set up a “CryptoLocker Decryption Service”, hosted on one of the command-and-control server’s IP addresses, and hosted in the Ukraine, according to antivirus firm Malwarebytes. This online “service” page can also be accessed through the "anonymous" Tor network on a ".onion" address, a move designed to give the site a longer lifespan and protection against DNS sinkholes.

Victims can upload one of their encrypted files in order to find the corresponding private decryption key. Only encrypted files are accepted. When a match is found, a confirmation page is displayed, along with the demand for payment of 10 Bitcoins ($2,300). The development was first reported on the Bleeping Computer's forums last weekend.

Antivirus programs attempting to remove the infection from compromised machines remove the registry key that is required to pay the ransom and decrypt the files. It seems the crooks behind the scam have latched on a way to extort even more from such individuals as well as late payers in general.

The sophisticated miscreants behind the scam are going to some lengths to avoid detection by investigators looking to identify them by following the money trail.

"For each victim, a unique Bitcoin address (where the money will be sent) is generated," writes Jerome Segura, senior security researcher at Malwarebytes. "In fact, even if you upload the same encrypted file twice, you will receive a new Bitcoin address."

The new "service" offers decryption keys after a wait of up to 24 hours.

"We're guessing that the delay is because the crooks have to run a brute force attack against themselves," writes anti-virus veteran Paul Ducklin, in a post on Sophos's Naked Security blog. "Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypt your data with every stored private key until they hit one that produces a plausible result."

As previously reported, CryptoLocker is a particularly aggressive ransomware Trojan. It normally arrives in email as an executable file disguised as a PDF file, packed into a zip attachment.

For example, one Reg reader told us back in September that variants of the malware were spreading in the UK via email purporting to come from Companies House.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet.

If opened, the malware attempts to encrypt the user’s documents across both local and mapped network hard drives. The malware uses a key that is generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair.

The owner then receives a ransom demand, payable within 72 hours. Payment is made via either an anonymous pre-paid cash voucher or Bitcoin.

Victims were previously told encryption keys would be destroyed after a three-day deadline, leaving them no way to retrieve the files. "CryptoLocker is easier and cheaper to block than to heal," Malwarebytes' Segura advises. "Please exercise extreme caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.