Crybercrooks behind the infamous file-encrypting CryptoLocker ransomware have begun offering a late payment option, which costs victim five times as much to "buy" the decryption key necessary to unscramble their encrypted files.
Previously, victims who failed to pay a $300+ ransom (up to 2 Bitcoins, $460) within three days would lose the ability to ability to retrieve a private key necessary to retrieve the encrypted files. Crooks behind the scam deleted the key or at least no longer offered it for sale. Victims without recent backups would be stuffed.
Recently the cybercrooks behind the scam set up a “CryptoLocker Decryption Service”, hosted on one of the command-and-control server’s IP addresses, and hosted in the Ukraine, according to antivirus firm Malwarebytes. This online “service” page can also be accessed through the "anonymous" Tor network on a ".onion" address, a move designed to give the site a longer lifespan and protection against DNS sinkholes.
Victims can upload one of their encrypted files in order to find the corresponding private decryption key. Only encrypted files are accepted. When a match is found, a confirmation page is displayed, along with the demand for payment of 10 Bitcoins ($2,300). The development was first reported on the Bleeping Computer's forums last weekend.
Antivirus programs attempting to remove the infection from compromised machines remove the registry key that is required to pay the ransom and decrypt the files. It seems the crooks behind the scam have latched on a way to extort even more from such individuals as well as late payers in general.
The sophisticated miscreants behind the scam are going to some lengths to avoid detection by investigators looking to identify them by following the money trail.
"For each victim, a unique Bitcoin address (where the money will be sent) is generated," writes Jerome Segura, senior security researcher at Malwarebytes. "In fact, even if you upload the same encrypted file twice, you will receive a new Bitcoin address."
The new "service" offers decryption keys after a wait of up to 24 hours.
"We're guessing that the delay is because the crooks have to run a brute force attack against themselves," writes anti-virus veteran Paul Ducklin, in a post on Sophos's Naked Security blog. "Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypt your data with every stored private key until they hit one that produces a plausible result."
As previously reported, CryptoLocker is a particularly aggressive ransomware Trojan. It normally arrives in email as an executable file disguised as a PDF file, packed into a zip attachment.
For example, one Reg reader told us back in September that variants of the malware were spreading in the UK via email purporting to come from Companies House.
More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet.
If opened, the malware attempts to encrypt the user’s documents across both local and mapped network hard drives. The malware uses a key that is generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair.
The owner then receives a ransom demand, payable within 72 hours. Payment is made via either an anonymous pre-paid cash voucher or Bitcoin.
Victims were previously told encryption keys would be destroyed after a three-day deadline, leaving them no way to retrieve the files. "CryptoLocker is easier and cheaper to block than to heal," Malwarebytes' Segura advises. "Please exercise extreme caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver." ®