We have spoken a bit about the ransomware CryptoLocker in previous posts. The creators of the malware had an interesting “feature” – in case CryptoLocker is removed by either the user or the antivirus software, it sets the desktop background to an image which includes the URL of the current command and control server so that users can re-infect their machine (i.e. to pay the ransom).
Unfortunately this didn’t always work as planned, especially if the antivirus software removed CryptoLocker’s registry entries, with the new invocation of the malware simply encrypting the files again. The malware’s authors had promised to make a decryption tool available for their “customers” and indeed, it appears they have indeed come through.
Hosted as a tor hidden service (aka an .onion site) the web interface allows affected users to submit a sample of a file that CryptoLocker has encrypted, pay the ransom and receive a decryption tool. This in itself is not that interesting.
What is interesting is that one of CryptoLocker’s most prominent features was a countdown timer that gave the user a limited amount of time (72 hours) to pay the ransom lest “the server will destroy the key after the time specified in this window.”
The creators behind the software must have realized that this wasn’t such a great business model, considering some people may have called their bluff and assumed the data could be trivially recovered by a competent IT consultant. The net result would be people contacting the authors (and the malware authors have been very active indeed, trolling IT help forums for their “customers” and providing “advice” when required) quite desperate to get their data back despite the time period they were given for recovery being exhausted. The whole claim by the malware that they would permanently delete the keys after just 72 hours seemed fishy from the beginning. After all, there is no logical reason as to why you would purge them.
The new decryption website now offers to retrieve keys that have gone past the deadline for the princely sum of 10 BTC (that’s almost $2,500 at the time of writing). The original ransom demand was a comparatively paltry 2 BTC.
UPDATE: Additional coverage of the “late payment” development: The Register ; Naked Security ; Krebs On Security
Mike the Crypto Goat 