This article is more than 1 year old
Cyber-crypto-criminal-cock-up. Little money and (probably) embarrassed
Ransomware coding fail foils fraudsters
A newly released crypto-ransomware strain has been broken, thus allowing victims — in over two out of three cases — to get back their data without paying.
The Scraper ransomware has a flaw, meaning that in about 70 per cent of cases files can be decrypted, according to Kaspersky Labs, with the Russian security firm publishing a free decryption utility.
Of course, it's a lot better not to get infected in the first place but for those who do get hit the utility offers the chance to save $300.
Scraper (AKA TorLocker) first appeared in an attack against Japanese users last October. Scraper, which later appeared in an English language version, encrypts the victim's documents and demands a ransom ($300 or greater, payable in BitCoin or UKash) to decrypt them.
More specifically, the malware encrypts the user's office documents, video and audio files, images, archives, databases, backup copies, virtual machines encryption keys, certificates and other files on all hard and network drives. It also deletes all system recovery points. Scraper only infects Windows machines.
The user's files are encrypted using AES-256 with a randomly generated one-time key; an individual encryption key is created for each file. Kaspersky Labs doesn't say where this process went wrong, though other experts have their theories, but in any case clearly mistakes have been made, or else recovery would in all cases be impractical.
"Although Scraper encrypts all files with AES-256 + RSA-2048, in 70 per cent plus cases they can be decrypted because of the errors made during the implementation of cryptography algorithms," Kaspersky researchers Victor Alyushin and Fedor Sinitsyn explain.
A blog post by Kaspersky Lab explains the various features of the malware in greater depth.
The success of the notorious CryptoLocker ransomware has spawned several similar scams, such as CTB-Locker and Scarper.
Scraper's builder (i.e. the program with which to create new samples of the Trojan with specified configuration) was distributed via a partnership program. Kasperky Lab researchers found two posts about selling the builder for TorLocker 2.0 in the recently dismantled Evolution underground store. The listing attracted 11 mostly positive eBay-style reviews between May 2014 and January 2015.
This is further evidence, should it be needed, of the dumbing down of cybercrime to the point where there's no requirement for would-be crybercrooks to know anything about coding before running malware-based scams.
Isolated crypto mistakes in ransomware code have been seen before. If history is any guide, cybercrooks will find a way to correct their mistakes before releasing improve code. Any respite for Scraper slinging scammers (which even now is only partial) is likely to be strictly temporary. ®