Cryptolocker victims can now get their locked files back without paying any ransom. This has come as a big relief to almost 500,000 people whose computers have been hacked by the malware.
What is Cryptolocker
Cryptolocker ransomware has been in the limelight throughout this year. From the GOZ (GameOver Zeus) botnet being eliminated by the authorities to a new version reappearing, the malware has hardly been out of the news.
This Windows-based malware is sent to the target machine through watering hole or phishing attacks. Once it has reached the system, it encrypts a number of important files in the victim machine. When the user tries to access these files, they are demanded a ransom in exchange for the key to the encrypted files. The users are typically given a 72 hour time period to pay the ransom amount, often in bitcoin, which currently stands at about $580. There is an onscreen timer to track the 72 hour period. Once the payment is made, the victim receives the key.
A statement from Dell SecureWorks in December 2013 revealed that the malware had infected 250,000 machines by then. Although the US Department of Justice announced that the malware has been eliminated, a number of affected users who didn’t pay the ransom were still to get access to their encrypted files.
Freeing the Resources
One of the major breakthroughs came with Operation Tovar, which was initiated by FireEye. While it took down a majority of the hackers’ infrastructure, a number of computers are still infected with ransomware. A number of key resources have also evolved to unlock the files encrypted by the attackers.
In a significant development, the FBI charged a Russian hacker as the mastermind behind the ransomware. Evgeniy Bogachev, aka “lucky12345” and “slavik” has been identified as the leader of the pack responsible for Cryptolocker and GoZ.
A large number of victims attacked by the malware are online banking users. A relief for the infected users came in the form of an online portal, Decrypt Cryptolocker. Created by FireEye and Fox-IT, this has helped a number of users by providing them with decryption keys. According to Michael Sandee, FOX-IT’s principal analyst, their teams were able to develop this online portal because they got access to the database of the victims affected by this malware.
To use the Decrypt CryptoLocker tool, the users have to follow these steps:
• Start with a single malware-encrypted file that doesn’t contain any critical information
• Upload this file to the portal
• The portal will generate a private key along with a link, which would redirect the user to the download page of Decryptolocker.exe. They can download this tool to use it offline on their computer
• Now they can operate this tool on their computer with the help of the private key provided at the beginning.
While using this portal, users don’t have to submit any personal information apart from their email address and an infected file which doesn’t hold any critical information. The companies have said that they will not use the email address for any commercial or marketing purposes.
The Director of Threat Intelligence at FireEye, Darien Kindlund, said that he is happy that the free resource has helped a number of users affected by this malware. He further added that his organization is ready to fight any cyber breach and they would ensure that businesses can continue to operate to their full potential without the worry of such attacks.
Availability of Decrypt Cryptolocker
The online portal is available for users across the globe. While it has worked wonders for a number of users, it may not be able to decrypt every affected file, as the malware has a number of variants. Since the variants use different techniques for encrypting files, it becomes difficult for Decrypt CryptoLocker to find the correct key for every file.
If you have multiple infected machines, you would have to repeat the process for every machine. The portal has a clear warning, “You should only upload encrypted files that do not contain any sensitive or personally identifiable information.”
The hackers’ estimated income of $3 million could have been much higher if more people had agreed to pay the ransom amount. Until now, only about 1.3 percent infected users have actually paid the amount asked by the hackers.
Others who didn’t agree to pay lost critical information in the form of files and documents. According to Sandee, the net amount paid to the hackers is difficult to calculate because a part of it was paid in bitcoins that have a volatile exchange rate.