CryptoLocker creators try to extort even more money from victims with new service

Users who removed the original malware infection, intentionally or not, are asked to pay five times more to recover their files

The creators of CryptoLocker, a piece of malware that encrypts user data and holds it for ransom, are giving users who removed the malicious program from their computers a second chance to recover their files, but at a much higher cost.

CryptoLocker is a malicious program that falls into a category of malware called ransomware. Once installed on a computer, ransomware applications typically prevent victims from accessing their files or even their operating system until they pay money to the malware authors.

Security researchers generally advise users against giving into this kind of extortion and in many cases there is a way to regain access to everything without paying up.

However, CryptoLocker uses solid public-private key cryptography to encrypt files that match a long list of extensions, including documents, spreadsheets, images and even AutoCAD design files. According to researchers from antivirus firm Sophos, the malware's creators got the encryption process right and there's no method to get the decryption keys, which are unique for every computer and are stored on attackers' servers, without paying up.

After it infects a computer, CryptoLocker displays a message informing victims that if they don't pay the equivalent of US$300 or €300 in Bitcoins, a virtual currency, or via MoneyPak, a type of prepaid card, within 72 hours, the unique decryption key for the files will be automatically destroyed.

Users who regularly back up their data can clean their computers and restore the affected files from backups, but users who don't have backups should consider those files lost, the Sophos researchers said.

Some files might be recoverable using the Shadow Copy technology, which is is an integral part of the System Restore feature in Windows.

However, even users who have backups might realize that they're not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware.

It seems that the creators of CryptoLocker considered that possibility and realized that some users might have initially removed the malware, but then, for whatever reason, changed their mind about paying up. As a result, they've recently started offering an online decryption service that allow such users to still recover their files, but at a much higher price.

"Apparently the crooks will now let you buy back your key even if you didn't follow their original instructions," Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos, said Monday in a blog post. "Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind."

The cost of using the service is 10 Bitcoins -- around $2,300 at the current Bitcoin exchange rate -- and requires users to upload one of their encrypted files. The first 1024 bytes of the file will be used to search for the associated private key, a process that can take up to 24 hours.

"We're guessing that the delay is because the crooks have to run a brute force attack against themselves," Ducklin said. "Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypting your data with every stored private key until they hit one that produces a plausible result."

However it's not immediately clear whether using this service is still possible after the initial 72-hour deadline given by the malware. If it is, then the cybercriminals lied and the private keys are not being destroyed after that time period.

This decryption service might have also been created for users whose antivirus programs detected and deleted the malware after it encrypted the files, leaving them unable to buy the decryption key anymore.

"We're still saying, 'don't buy,' but we're feeling your pain enough to know how tempting it will be for some people to pay the crooks, even though the blackmail charges have now ballooned to more than $2,000," Ducklin said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags sophossecurityencryptionmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?