Feeds

CryptoLocker victims offered free key to unlock ransomed files

Plus: One in four CERT cases relate to malware

Top 5 reasons to deploy VMware with Tegile

Security researchers have released a tool that allows victims of the infamous CryptoLocker ransomware to unlock their computers at no charge.

DecryptoLocker from net security firm FireEye and threat intelligence company FoxIT offers a cure for the estimated 500,000 victims of CryptoLocker.

Victims need to upload a CryptoLocker-encrypted file onto the DecryptCryptoLocker portal in order to get the private keys necessary to decrypt files, as explained in a blog post by FireEye.

A FireEye spokesman told El Reg that a cache of private keys obtained from a commandeered command and control server was used to develop the decryption utility. That means CryptoLocker's encryption scheme remains unbroken, which, since it is based on best practices in cryptography otherwise used to protect e-commerce and privacy more generally, is actually a good thing.

The release of the decryption service comes around two months after a high profile FBI-led takedown operation against command nodes linked to CryptoLocker and Gameover ZeuS, a banking Trojan that also served as a conduit for the distribution of CryptoLocker.

At the time, the UK's National Crime Agency said that UK businesses and the public had a "two-week opportunity to rid and safeguard themselves" from Gameover ZeuS and CryptoLocker.

CryptoLocker first surfaced in September 2013, with P2P ZeuS (aka Gameover ZeuS) malware quickly emerging as the main distribution method. The ransomware encrypting important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files.

CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on the server side of CryptoLocker.

About 545,000 computers worldwide, around half in the US, have been infected with CryptoLocker between September 2013 and May 2014. Victims have been bilked of $27m (£16m) as a result of the malware, according to FBI estimates from June. In the end, 1.3 per cent of victims paid a CryptoLocker ransom, therefore, a large amount of victims likely permanently lost files due to this attack, according to Fox-IT.

Hopes that this takedown would kill off CryptoLocker have been dashed. CryptoLocker has evolved and once again started to compromise user devices, FireEye warns. This finding is backed up by third-party research over recent weeks from the likes of Sophos (here) and Seculert (here).

As well as releasing the decryption tool, FireEye and FoxIT also marked the opening of the Black Hat security conference in Las Vegas by unveiling new research into the origins and spread of CryptoLocker.

It's a CERT

In related security research news, CERT-UK coincidentally released its first quarterly report on Tuesday. The update from the UK's National Computer Emergency Response Team, which is in charge of co-ordinating cyber security incident response, focuses on threats such as the CrtyptoLocker/Gameover ZeuS takedown, the Heartbleed Open SSL bug and progress in rolling out the Cyber-security Information Sharing Partnership, which 500 firms had signed up to since its launch in June 2013. Malware-related incidents accounted for more than 25 per cent of all incidents handled by CERT-UK, the round-up adds.

The full 20-page report, which also features a case study on the handling of a recent IE zero-day, can be found here (PDF). ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.