Attacker Decrypts Computers Infected with Locker Ransomware

Someone claiming to be the creator of a new crypto-ransomware strain has posted the decryption keys to an upload site and apologized for releasing the malware.

The author of Locker also said the ransomware was to begin deactivating itself starting at midnight, but experts at KnowBe4 who reported on the malware last week won’t know until later today whether that is indeed the case, a representative told Threatpost.

A database containing the Bitcoin address where payments were to be made, along with public and private keys, was uploaded to in a CSV file, a post to Pastebin from the alleged author says. Details on the structure of the encrypted files were also provided.

“This is a dump of the complete database and most of the keys weren’t even used,” the post says. “All distribution of new keys has been stopped.”

The post also says that automatic decryption of any infected computers was to begin at midnight.

KnowBe4 CEO Stu Sjouwerman speculates in a blogpost that either the author has made enough money with this campaign, is close to being caught be law enforcement, or is under pressure from rival criminals.

KnowBe4 said Locker lie dormant on compromised machines until midnight May 25 when it started to infect machines and encrypt files, behaving similarly to CryptoLocker. The Locker malware was spread via malvertising campaigns redirecting users to exploit kits, and possibly a compromised Minecraft installer, the company said.

Locker targets Windows machines and targets a slew of file types, including .doc, .docx, .xlsx, .ppt, .wmdb, .ai, .jpg, .psd, .nef, .odf, .raw, .pem, .rtf, .raf, .dbf, .header, .wmdb, .odb, .dbf. KnowBe4 said Locker does not change the file extension on encrypted files, and users will see error messages as they try to open the files.

Unlike other ransomware strains charging upwards of $500 or more to decrypt files, Locker was seeking 0.1 Bitcoin, around $30USD. None of the victims, however, have been refunded, KnowBe4 said.

“If you build code like this, you know very well what you are doing. The fact it was built as a ‘sleeper’ shows months-long careful planning,” Sjouwerman said. “The other point is that if he would really have genuine remorse, everyone would get refunded which does not seem to have happened. It is also not clear if current infection vectors have been turned off or not.”

Sjouwerman said this could be the author’s first foray into malware development.

“What we can assume is that he is a talented coder but not an experienced cyber criminal because a foul-up like this would never have happened with professional Eastern European organized cybercrime,” Sjouwerman said. “He may have worked as a developer for one of these gangs and decided to start his own outfit which backfired.”

Provided from: Techcrunch.