Americas

  • United States

Asia

Oceania

CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service

Analysis
Nov 04, 20134 mins
CybercrimeData and Information SecurityDLP Software

Victims of the CryptoLocker ransomware are being gouged with extortion again, this time as a second-chance decryption service offer that costs five times the original ransom.

If you don’t win an online auction, sometimes you receive a “second chance offer” that costs whatever your highest bid was for an item. Extortion doesn’t work that way as seen by the newest second chance scheme launched by the cybercrooks behind CryptoLocker; the decryption service costs five-times as much as it would have to free your files from the ransomware in the first place.

Bitdefender Labs offer a CryptoLocker-blocking tool (exe), but otherwise people with infected systems are given three days to pay up; it costs two Bitcoins for their encrypted files to be decrypted. Across the board, security experts say don’t pay.

Some victims who were unlucky enough to be zapped by CryptoLocker have been able to recover some files using the Volume Shadow Copy Service in Windows. “However, even users who have backups might realize that they’re not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware.”

Enter the new second chance CryptoLocker Decryption Service. Bleeping Computer warned that the penalty is steep and the cost for CryptoLocker decryption service “significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD.” At the time of writing, the “simple Bitcoin converter” quoted 10 Bitcoins as being equal to $2,261.

For those users who are affected by CryptoLocker and did not have a backup, trying to pay the ransom has been a difficult process. This is because antivirus programs remove the infection or the registry key that is required to pay the ransom and decrypt the files. It appears that the malware developers were listening, as they have now implemented a decryption service that is designed to look like a customer support site. This service is available by connecting directly to a Command & Control server’s IP address or hostname or through Tor via the f2d2v7soksbskekh.onion/ address.

In case you can’t read that, the CryptoLocker Decryption Service notice states:

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.

Select any encrypted file and click “Upload” button. The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours.

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.

OR if you already know your order number, you may enter it into the form below.

As of today, Nov. 4, Bleeping Computer reports, “The decryption service now still allows you to pay 2 bitcoins during your normal 3 day timer period. After that period, the price increases to 10 bitcoins.”

Kaspersky Lab expert Costin Raiu previously explained that researchers sink-holed three domains that were C&C servers for the malware, but so far no one has cracked the CryptoLocker encryption to fully recover all files. However, as Sophos pointed out, “the crooks’ original claim was bogus all along.”

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

For more about CryptoLocker, consider reading: How to avoid getting infected and what to do if you are.

Meanwhile, other security professionals have diverted their attention elsewhere, debating the reality and capabilities of the scary BIOS-level malware badBIOS.

Like this? Here’s more posts:

  • How Microsoft invented, or invisibly runs, almost everything
  • Microsoft cybersecurity report warns users about the evils of clinging to XP
  • Wireless feature disabled on pacemaker to stop hackers from assassinating Cheney
  • FBStalker and GeoStalker data mining tools can dig into your life
  • Extreme tech for covert audio surveillance
  • That’s no poltergeist invading your privacy: Spooky spying hacks make homes seem haunted
  • Most parents allow unsupervised internet access to children at age 8
  • Not even Microsofties trust Microsoft’s approach to privacy
  • Captain Justice: Epic legal trolling reply to govt’s motion to ban the word ‘government’
  • Chris Hemsworth goes to ‘nerd school’ for hacking in cyber-terrorism thriller ‘Cyber’
  • Ex-NSA chief Michael Hayden got schooled on how much eavesdropping stinks
  • Eavesdropping made easy: Remote spying with WeMo Baby and an iPhone

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.