The creators of CryptoLocker, a piece of malware that encrypts user data and holds it for ransom, are giving users who removed the malicious program from their computers a second chance to recover their files, but at a much higher cost.
CryptoLocker is a malicious program that falls into a category of malware called ransomware. Once installed on a computer, ransomware applications typically prevent victims from accessing their files or even their operating system until they pay money to the malware authors.
Security researchers generally advise users against giving into this kind of extortion and in many cases there is a way to regain access to everything without paying up.
However, CryptoLocker uses solid public-private key cryptography to encrypt files that match a long list of extensions, including documents, spreadsheets, images and even AutoCAD design files. According to researchers from antivirus firm Sophos, the malware’s creators got the encryption process right and there’s no method to get the decryption keys, which are unique for every computer and are stored on attackers’ servers, without paying up.
After it infects a computer, CryptoLocker displays a message informing victims that if they don’t pay the equivalent of $300 or €300 in Bitcoins, a virtual currency, or via MoneyPak, a type of prepaid card, within 72 hours, the unique decryption key for the files will be automatically destroyed.
Users who regularly back up their data can clean their computers and restore the affected files from backups, but users who don’t have backups should consider those files lost, the Sophos researchers said.
Some files might be recoverable using the Shadow Copy technology, which is is an integral part of the System Restore feature in Windows.
However, even users who have backups might realize that they’re not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware.
It seems that the creators of CryptoLocker considered that possibility and realized that some users might have initially removed the malware, but then, for whatever reason, changed their mind about paying up. As a result, they’ve recently started offering an online decryption service that allow such users to still recover their files, but at a much higher price.
“Apparently the crooks will now let you buy back your key even if you didn’t follow their original instructions,” Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos, said Monday in a blog post. “Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind.”
The cost of using the service is 10 Bitcoins—around $2300 at the current Bitcoin exchange rate—and requires users to upload one of their encrypted files. The first 1024 bytes of the file will be used to search for the associated private key, a process that can take up to 24 hours.
“We’re guessing that the delay is because the crooks have to run a brute force attack against themselves,” Ducklin said. “Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypting your data with every stored private key until they hit one that produces a plausible result.”
However it’s not immediately clear whether using this service is still possible after the initial 72-hour deadline given by the malware. If it is, then the cybercriminals lied and the private keys are not being destroyed after that time period.
This decryption service might have also been created for users whose antivirus programs detected and deleted the malware after it encrypted the files, leaving them unable to buy the decryption key anymore.
“We’re still saying, ‘don’t buy,’ but we’re feeling your pain enough to know how tempting it will be for some people to pay the crooks, even though the blackmail charges have now ballooned to more than $2000,” Ducklin said.