Feeds

CryptoLocker victims offered free key to unlock ransomed files

Plus: One in four CERT cases relate to malware

Security for virtualized datacentres

Security researchers have released a tool that allows victims of the infamous CryptoLocker ransomware to unlock their computers at no charge.

DecryptoLocker from net security firm FireEye and threat intelligence company FoxIT offers a cure for the estimated 500,000 victims of CryptoLocker.

Victims need to upload a CryptoLocker-encrypted file onto the DecryptCryptoLocker portal in order to get the private keys necessary to decrypt files, as explained in a blog post by FireEye.

A FireEye spokesman told El Reg that a cache of private keys obtained from a commandeered command and control server was used to develop the decryption utility. That means CryptoLocker's encryption scheme remains unbroken, which, since it is based on best practices in cryptography otherwise used to protect e-commerce and privacy more generally, is actually a good thing.

The release of the decryption service comes around two months after a high profile FBI-led takedown operation against command nodes linked to CryptoLocker and Gameover ZeuS, a banking Trojan that also served as a conduit for the distribution of CryptoLocker.

At the time, the UK's National Crime Agency said that UK businesses and the public had a "two-week opportunity to rid and safeguard themselves" from Gameover ZeuS and CryptoLocker.

CryptoLocker first surfaced in September 2013, with P2P ZeuS (aka Gameover ZeuS) malware quickly emerging as the main distribution method. The ransomware encrypting important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files.

CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on the server side of CryptoLocker.

About 545,000 computers worldwide, around half in the US, have been infected with CryptoLocker between September 2013 and May 2014. Victims have been bilked of $27m (£16m) as a result of the malware, according to FBI estimates from June. In the end, 1.3 per cent of victims paid a CryptoLocker ransom, therefore, a large amount of victims likely permanently lost files due to this attack, according to Fox-IT.

Hopes that this takedown would kill off CryptoLocker have been dashed. CryptoLocker has evolved and once again started to compromise user devices, FireEye warns. This finding is backed up by third-party research over recent weeks from the likes of Sophos (here) and Seculert (here).

As well as releasing the decryption tool, FireEye and FoxIT also marked the opening of the Black Hat security conference in Las Vegas by unveiling new research into the origins and spread of CryptoLocker.

It's a CERT

In related security research news, CERT-UK coincidentally released its first quarterly report on Tuesday. The update from the UK's National Computer Emergency Response Team, which is in charge of co-ordinating cyber security incident response, focuses on threats such as the CrtyptoLocker/Gameover ZeuS takedown, the Heartbleed Open SSL bug and progress in rolling out the Cyber-security Information Sharing Partnership, which 500 firms had signed up to since its launch in June 2013. Malware-related incidents accounted for more than 25 per cent of all incidents handled by CERT-UK, the round-up adds.

The full 20-page report, which also features a case study on the handling of a recent IE zero-day, can be found here (PDF). ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.