Ransomware Creator Apologizes For "Sleeper" Attack, Releases Decryption Keys

colinneagle writes: Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a "sleeper" campaign that, when the malware's creator "woke it up," encrypted the infected devices' files and charged roughly $24 in exchange for the decryption keys. This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker's creator released this message in a PasteBin post, along with a link to a file hosted on Mega.co containing the decryption keys. The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd.

However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and about $24 last week) required for the decryption keys since last week. KnowBe4 CEO Stu Sjouwerman says the files released do not appear to be malicious after brief analysis, and that "it does contain a large quantity of RSA keys and Bitcoin addresses." But he warned those interested to only open these files "at your own risk until further analyses are performed." Sjouwerman speculated that the malware creator may have been spooked by attention from law enforcement or Eastern European organized crime syndicates that are behind most ransomware campaigns.

Customer Service

That's better service then a lot of companies I intentionally do business with.... What's the would come to?

Re:Customer Service

like sourceforge? You're leaving because you don't like all the ads and malware installers we put on our site? Fuck you, we'll just copy your shit and add even more ads and crapware installers.

Refund Bitcoin?

[ArcadeMan]

Strangely enough, you need someone very honest to "refund" anything via Bitcoin because he has to send the coins back himself, there's no "return/refund" mechanisms.

So, all we can say is that guy is a "really honest crook", as strange and contradictory as it seems.

Re:Refund Bitcoin?

Well, more like a scared shitless crook, if you go by the TFA. TFA speculates he might be a dev for the East European mob involved in these ransomware schemes that struck out on his own, but later got cold feet as he was basically encroaching on his former criminal bosses's racket.

Re:Refund Bitcoin?

[sexconker]

Wild, rampant, and baseless speculation.
He could have found Jesus and decided to not be mean to people.
He could have multiple personality disorder.
He could be a dog with a computer randomly pawing at the keys.

Re:Refund Bitcoin?

Wild, rampant, and baseless speculation.
He could have found Jesus and decided to not be mean to people.
He could have multiple personality disorder.
He could be a dog with a computer randomly pawing at the keys.

HE COULD BE YOU!

SO WHY'D YOU DO IT, SEXCONKER? (if that is indeed your real name)

Re:Refund Bitcoin?

[sexconker]

It can't be me because I never would have designed it to be reversible. I would have just told people to pay up for the keys after overwriting their files with random data. It's like half the work.

Re:Refund Bitcoin?

[Falos]

I'm not just pawing them at random! I can stay focused sometimes!

Re: Refund Bitcoin?

You can say the same about cash. I think BTC is stupid, but not for that.

Re:Refund Bitcoin?

[rhazz]

No kidding. Not to mention any additional contact you have with the victim adds to your own risk of getting caught. People who pay out on ransomware are basically doubling down on their loss for the very very slim chance they will get anything back. Take this story, these idiots paid TWICE for the same ransom and still didn't their files back.

testing

[gabycampagna]

testing by slashdot engineer

Re:testing

[Picass0]

I think you mean tested by Sourceforge

Re: testing

I think if you use SF you should get tested.

Re:testing

[wardrich86]

Reply "INSTALL" to this comment to download complimentary 3rd party applications that you didn't even know you wanted on your computer!

Re:What a guy!

[ArcadeMan]

When you get some *real* skills, then try getting a good job that pays well.

Simply having skills isn't enough anymore. There's not enough jobs and companies want to pay less for the same jobs every year.

Re:What a guy!

[Opportunist]

Just so you know, the average malware jockey makes money that makes me wonder why I remain on this side of the fence. So much for "getting a good job that pays well".

Don't worry. He already has one.

Wow, 22.88? Seriously?

[neminem]

My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files). Anyway, they asked for 500 bucks (he paid it, sadly, not that I necessarily blame him). $22.88... doesn't seem like a lot of money. I'd pay that without even thinking, if I were hit with it. $500 bucks I'd have to think more about.

Re:Wow, 22.88? Seriously?

If it's anything like the vast majority of ransomware investigations that pass by my desk, it's because he hasn't updated Flash in years and got hit by malvertising.

Re:Wow, 22.88? Seriously?

I'd pay that without even thinking

"A man asks a woman if she would be willing to sleep with him if he pays her an exorbitant sum. She replies affirmatively. He then names a paltry amount and asks if she would still be willing to sleep with him for the revised fee. The woman is greatly offended and replies as follows:
        She: What kind of woman do you think I am?
        He: We've already established that. Now we're just haggling over the price."

Do not give in to blackmail!

Re:Wow, 22.88? Seriously?

My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files).

Probably got it from visiting Sourceforge...

Re:Wow, 22.88? Seriously?

[bill_mcgonigle]

he hasn't updated Flash in years and got hit by malvertising.

You don't have to be that bad, even. My parents' PC had Flash 12 on it and Flash 9 on it. Where did Flash 9 come from? It was installed at the same time as the updater software for their GPS device.

The whole ecosystem is toxic and hateful towards the user.

Re:Wow, 22.88? Seriously?

[nukenerd]

The man was George Bernard Shaw, playwright and society wit. The way he said it however was much more quickfire than you make it sound.

Re:Wow, 22.88? Seriously?

That little story has been attributed to a number of people. I do not claim the joke for myself: Posting as AC, doing so would be particularly pointless. Note that I put the story in quotes. I have deliberately omitted names because the joke works without them.

Re:Wow, 22.88? Seriously?

[moeinvt]

The malware authors need to create some sort of automated bartering program so that they can extract people's maximum willingness to pay. I'd definitely pay $22.88, but no way on $500.

was a wrench involved?

Was a wrench involved in getting him to release them?

Re:was a wrench involved?

Was a wrench involved in getting him to release them?

If the malware landed on one of the computers of his overlords in Moscow, maybe.

Re: was a wrench involved?

Without even checking the link I know it's a mandatory XKCD. You forgot to add a funny anecdote about how all this relates to your life. So yeah, gonna call wooshthinkofthechildrenpenislol on this.

Re: was a wrench involved?

[wonkey_monkey]

Without even checking the link I know it's a mandatory XKCD.

The [xkcd.com] after the link is a bit of a giveaway.

Re:What a guy!

Simmer down, champ.

Re:What a guy!

Feel better now?

Do you really think someone who makes a living out of blackmailing the technically illiterate would be in any way chastened, or even bothered by your blustering?

Right? That's what I fucking thought.

Did you sit there very long, with the cursor blinking, waiting for a response?

Re:What a guy!

[jakimfett]

Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

Still on this side of the fence. But I'm watching the other side carefully.

Re:What a guy!

[tlhIngan]

Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

Honestly, it's a social skill - it requires communicating the user, or at least knowing what users want.

If you know how to do SEO, the absolutely easiest way to infect someone is offering free downloads of some commercial app. Like Office, Photoshop, even Windows. Or the keygens to it. The most common way is to wrap the keygen with your downloader so the user runs the wrapped app which then silently downloads malware while running the real keygen.

Until Google started censoring the results, you could type an app's name and the first few results would be "cracks" "keygen" "download" and "warez".

Hint: This applies for smartphone apps too. People are cheap. If they can save $1, they'll try.

Re: What a guy!

Is that you Phil Sturgeon?

Re:What a guy!

Do you even lift?

Re:What a guy!

[Vitriol+Angst]

Don't the malware junkies make more money selling the patterns to the anti-malware firms on the side?

I mean, who buys Kaspersky if nobody gets paid to create the malware and Windows and Mac have "good enough" security?

Creating a market for malware is what keeps malware coming.

Dis is one half

[xebecv]

Press any key to continue ...

Re:Dis is one half

[Cafe+Alpha]

None of my keys say "any" on them :(

Will the NSA do right on their crimes?

Or any other U.S government for that matter. I think not.

The keys are legit.

My machine was hit by this ransomware and I got lucky enough to be doing something when it happened so I had the process suspended two minutes into the attack. Only about 30 of my actually useful files were hit with most of it just being a bunch of old unneeded data.

So when he released the keys and the rules to unencrypt them I found my key in the list, based on the data saved on the machine for exactly that purpose in case I purchased. This was both the bitcoin address I should have paid through and an XML copy of the public key.

I then threw together a quick C# program to unencrypt the files using the method he mentioned and it worked fine and I was able to recover all the files I wanted to get back.

Another user had a symbolic link issue that caused the ransomware program to chain encrypt a file almost 50k times and was able to chain unencrypt it using a program someone else wrote. He even turned out to be telling the truth about the ransomware unencrypting the files for free on June 2nd.

http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/page-37

Or he didn't get paid.

Perhaps the author created this for someone else and either didn't get paid for his work, or wasn't getting his cut.

Re:What a guy!

[Opportunist]

Erh... detach yourself from the idea that malware is something some pimple faced 17-27 year old does in his mom's basement. Malware is a business. And of course with the relevant staff.

In other words, distribution is not your concern when you're a programmer. That's what marketing is for.

Re:What a guy!

[Opportunist]

Don't worry. I've been in that business for a while. Trust me, there is no reason to create malware. Why bother? It's done for you. For free. Because they have a business model as well.

Quite seriously, even if you don't "trust" anti-malware companies to not create them themselves, simply follow the laws of the market: Why create a disease if it exists anyway? Why bother wasting money on something that is done for you without your intervention? It's like saying, I dunno, mobile home vendors are behind tornados in Kansas. Why the fuck bother, these things come themselves, no need to do anything. It happens. Free of charge.

That some vendors of AV kits go and blow every minor, insignificant malware release out of proportion and predict falling skies if we don't immediately buy their latest and greatest is another thing. Think of it as the computerized version of the Swine Flu.