updated 11:59 am EDT, Wed August 6, 2014
Decrypt CryptoLocker to help recover files lost to malware
Victims of the CryptoLocker ransomware may be able to unlock their files without having to pay. Security experts from FireEye and Fox IT are hosting Decrypt CryptoLocker, a site dedicated to providing keys for affected systems, allowing for encrypted files to become available to users who chose not to pay the malware creator's ransom demand.
CryptoLocker operated by infecting a system, encrypting the majority of files on the computer's built-in storage and other connected drives. Victims had up to 72 hours to pay the ransom, typically around $500 in various currencies including Bitcoin, in order to receive the key to unlock files. According to the BBC, a database of victims was being transferred between the criminals in an effort to avoid the list falling into the hands of law enforcement, but security researchers monitored traffic in the botnet and made a copy of the transmitted data.
The Decrypt CryptoLocker site requires victims to submit one encrypted file and an e-mail address, with the site then handing a recovery program and a master decryption key to the user at no charge. "All they have to do is submit a file that's been encrypted, from that we can figure out which encryption key was used," advised FireEye chief technology officer Greg Day to the report.
While estimates for ransoms paid to the group behind the malware exceed $100 million, the seized database appears to suggest far less in the way of ransoms were paid. Only 1.3 percent of infected systems resulted in a ransom payment, likely from users not able to restore data from backups, putting the total earned at around $3 million for CryptoLocker. The amount earned from other malware including "Gameover Zeus" is unknown, nor is the cost to users and businesses affected by the malware.
Despite the efforts of security teams, such encryption-based ransomware is still being employed by criminals. The most recent instance, SynoLocker, works in a similar way by infecting some Synology NAS servers using older firmware and encrypting stored data, before demanding 0.6 bitcoin ($350) to release a key. Unfortunately, affected Synology users are not able to use this recovery method.