Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Creator Apologizes For "Sleeper" Attack, Releases Decryption Keys

Posted by samzenpus on from the my-bad dept.

colinneagle writes: Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a "sleeper" campaign that, when the malware's creator "woke it up," encrypted the infected devices' files and charged roughly $24 in exchange for the decryption keys. This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker's creator released this message in a PasteBin post, along with a link to a file hosted on Mega.co containing the decryption keys. The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd.

However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and about $24 last week) required for the decryption keys since last week. KnowBe4 CEO Stu Sjouwerman says the files released do not appear to be malicious after brief analysis, and that "it does contain a large quantity of RSA keys and Bitcoin addresses." But he warned those interested to only open these files "at your own risk until further analyses are performed." Sjouwerman speculated that the malware creator may have been spooked by attention from law enforcement or Eastern European organized crime syndicates that are behind most ransomware campaigns.

45 comments

  1. Customer Service by Anonymous Coward · · Score: 5, Funny

    That's better service then a lot of companies I intentionally do business with.... What's the would come to?

    1. Re:Customer Service by Anonymous Coward · · Score: 0

      like sourceforge? You're leaving because you don't like all the ads and malware installers we put on our site? Fuck you, we'll just copy your shit and add even more ads and crapware installers.

  2. What a guy! by countSudoku() · · Score: -1, Flamebait

    Thanks, buddy, but I don't need your fucking keys. I don't stick my electronic dick into every fucking Internet outlet, so I don't get fucking viruses like fucking average fucking joe. Take your fucking keys, print them out on thick card stock, soak them in petrol, stick them far far up your asshole, then go smoke some cigs, you fucking ignorant piss-stained teen bitch script-fuck. I shit more interesting solutions than whatever fucking cracks you simpleton coders conjure up in your wildest fucking dreams. Fucking douchbags. When you get some *real* skills, then try getting a good job that pays well. Let me guess, too fucking hard for you. Right? That's what I fucking thought. You're fucking dismissed now, to fuck off in new exciting ways!

    --
    This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    1. Re:What a guy! by ArcadeMan · · Score: 1

      When you get some *real* skills, then try getting a good job that pays well.

      Simply having skills isn't enough anymore. There's not enough jobs and companies want to pay less for the same jobs every year.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:What a guy! by Opportunist · · Score: 1

      Just so you know, the average malware jockey makes money that makes me wonder why I remain on this side of the fence. So much for "getting a good job that pays well".

      Don't worry. He already has one.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:What a guy! by Anonymous Coward · · Score: 0

      Simmer down, champ.

    4. Re:What a guy! by Anonymous Coward · · Score: -1

      Fucking how the fucking fuck is the fucking parent fucking modded fucking interesting?

    5. Re:What a guy! by Anonymous Coward · · Score: 1

      Feel better now?

      Do you really think someone who makes a living out of blackmailing the technically illiterate would be in any way chastened, or even bothered by your blustering?

      Right? That's what I fucking thought.

      Did you sit there very long, with the cursor blinking, waiting for a response?

    6. Re:What a guy! by jakimfett · · Score: 1

      Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

      Still on this side of the fence. But I'm watching the other side carefully.

      --
      Bits of code, random ramblings: jakimfett.com
    7. Re:What a guy! by tlhIngan · · Score: 2

      Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

      Honestly, it's a social skill - it requires communicating the user, or at least knowing what users want.

      If you know how to do SEO, the absolutely easiest way to infect someone is offering free downloads of some commercial app. Like Office, Photoshop, even Windows. Or the keygens to it. The most common way is to wrap the keygen with your downloader so the user runs the wrapped app which then silently downloads malware while running the real keygen.

      Until Google started censoring the results, you could type an app's name and the first few results would be "cracks" "keygen" "download" and "warez".

      Hint: This applies for smartphone apps too. People are cheap. If they can save $1, they'll try.

    8. Re: What a guy! by Anonymous Coward · · Score: 0

      Is that you Phil Sturgeon?

    9. Re:What a guy! by Anonymous Coward · · Score: 0

      Do you even lift?

    10. Re:What a guy! by Vitriol+Angst · · Score: 1

      Don't the malware junkies make more money selling the patterns to the anti-malware firms on the side?

      I mean, who buys Kaspersky if nobody gets paid to create the malware and Windows and Mac have "good enough" security?

      Creating a market for malware is what keeps malware coming.

      --
      >>"ad space available -- low rates!!!"
    11. Re:What a guy! by Opportunist · · Score: 1

      Erh... detach yourself from the idea that malware is something some pimple faced 17-27 year old does in his mom's basement. Malware is a business. And of course with the relevant staff.

      In other words, distribution is not your concern when you're a programmer. That's what marketing is for.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:What a guy! by Opportunist · · Score: 1

      Don't worry. I've been in that business for a while. Trust me, there is no reason to create malware. Why bother? It's done for you. For free. Because they have a business model as well.

      Quite seriously, even if you don't "trust" anti-malware companies to not create them themselves, simply follow the laws of the market: Why create a disease if it exists anyway? Why bother wasting money on something that is done for you without your intervention? It's like saying, I dunno, mobile home vendors are behind tornados in Kansas. Why the fuck bother, these things come themselves, no need to do anything. It happens. Free of charge.

      That some vendors of AV kits go and blow every minor, insignificant malware release out of proportion and predict falling skies if we don't immediately buy their latest and greatest is another thing. Think of it as the computerized version of the Swine Flu.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Refund Bitcoin? by ArcadeMan · · Score: 1

    Strangely enough, you need someone very honest to "refund" anything via Bitcoin because he has to send the coins back himself, there's no "return/refund" mechanisms.

    So, all we can say is that guy is a "really honest crook", as strange and contradictory as it seems.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Refund Bitcoin? by Anonymous Coward · · Score: 0

      Well, more like a scared shitless crook, if you go by the TFA. TFA speculates he might be a dev for the East European mob involved in these ransomware schemes that struck out on his own, but later got cold feet as he was basically encroaching on his former criminal bosses's racket.

    2. Re:Refund Bitcoin? by sexconker · · Score: 2

      Wild, rampant, and baseless speculation.
      He could have found Jesus and decided to not be mean to people.
      He could have multiple personality disorder.
      He could be a dog with a computer randomly pawing at the keys.

    3. Re:Refund Bitcoin? by Anonymous Coward · · Score: 1

      Wild, rampant, and baseless speculation.
      He could have found Jesus and decided to not be mean to people.
      He could have multiple personality disorder.
      He could be a dog with a computer randomly pawing at the keys.

      HE COULD BE YOU!

      SO WHY'D YOU DO IT, SEXCONKER? (if that is indeed your real name)

    4. Re:Refund Bitcoin? by sexconker · · Score: 1

      It can't be me because I never would have designed it to be reversible. I would have just told people to pay up for the keys after overwriting their files with random data. It's like half the work.

    5. Re:Refund Bitcoin? by Falos · · Score: 1

      I'm not just pawing them at random! I can stay focused sometimes!

    6. Re: Refund Bitcoin? by Anonymous Coward · · Score: 0

      You can say the same about cash. I think BTC is stupid, but not for that.

    7. Re:Refund Bitcoin? by rhazz · · Score: 1

      No kidding. Not to mention any additional contact you have with the victim adds to your own risk of getting caught. People who pay out on ransomware are basically doubling down on their loss for the very very slim chance they will get anything back. Take this story, these idiots paid TWICE for the same ransom and still didn't their files back.

  4. testing by gabycampagna · · Score: 1

    testing by slashdot engineer

    1. Re:testing by Picass0 · · Score: 1

      I think you mean tested by Sourceforge

    2. Re: testing by Anonymous Coward · · Score: 0

      I think if you use SF you should get tested.

    3. Re:testing by wardrich86 · · Score: 1

      Reply "INSTALL" to this comment to download complimentary 3rd party applications that you didn't even know you wanted on your computer!

  5. Wow, 22.88? Seriously? by neminem · · Score: 4, Interesting

    My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files). Anyway, they asked for 500 bucks (he paid it, sadly, not that I necessarily blame him). $22.88... doesn't seem like a lot of money. I'd pay that without even thinking, if I were hit with it. $500 bucks I'd have to think more about.

    1. Re:Wow, 22.88? Seriously? by Anonymous Coward · · Score: 1

      If it's anything like the vast majority of ransomware investigations that pass by my desk, it's because he hasn't updated Flash in years and got hit by malvertising.

    2. Re:Wow, 22.88? Seriously? by Anonymous Coward · · Score: 1

      I'd pay that without even thinking

      "A man asks a woman if she would be willing to sleep with him if he pays her an exorbitant sum. She replies affirmatively. He then names a paltry amount and asks if she would still be willing to sleep with him for the revised fee. The woman is greatly offended and replies as follows:
              She: What kind of woman do you think I am?
              He: We've already established that. Now we're just haggling over the price."

      Do not give in to blackmail!

    3. Re:Wow, 22.88? Seriously? by Anonymous Coward · · Score: 1

      My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files).

      Probably got it from visiting Sourceforge...

    4. Re:Wow, 22.88? Seriously? by bill_mcgonigle · · Score: 2

      he hasn't updated Flash in years and got hit by malvertising.

      You don't have to be that bad, even. My parents' PC had Flash 12 on it and Flash 9 on it. Where did Flash 9 come from? It was installed at the same time as the updater software for their GPS device.

      The whole ecosystem is toxic and hateful towards the user.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:Wow, 22.88? Seriously? by nukenerd · · Score: 2

      The man was George Bernard Shaw, playwright and society wit. The way he said it however was much more quickfire than you make it sound.

    6. Re:Wow, 22.88? Seriously? by Anonymous Coward · · Score: 0

      That little story has been attributed to a number of people. I do not claim the joke for myself: Posting as AC, doing so would be particularly pointless. Note that I put the story in quotes. I have deliberately omitted names because the joke works without them.

    7. Re:Wow, 22.88? Seriously? by moeinvt · · Score: 1

      The malware authors need to create some sort of automated bartering program so that they can extract people's maximum willingness to pay. I'd definitely pay $22.88, but no way on $500.

  6. was a wrench involved? by Anonymous Coward · · Score: 1

    Was a wrench involved in getting him to release them?

    1. Re:was a wrench involved? by Anonymous Coward · · Score: 0

      Was a wrench involved in getting him to release them?

      If the malware landed on one of the computers of his overlords in Moscow, maybe.

    2. Re: was a wrench involved? by Anonymous Coward · · Score: 0

      Without even checking the link I know it's a mandatory XKCD. You forgot to add a funny anecdote about how all this relates to your life. So yeah, gonna call wooshthinkofthechildrenpenislol on this.

    3. Re: was a wrench involved? by wonkey_monkey · · Score: 1

      Without even checking the link I know it's a mandatory XKCD.

      The [xkcd.com] after the link is a bit of a giveaway.

      --
      systemd is Roko's Basilisk.
  7. Welcome, GimpWAD Member! by Anonymous Coward · · Score: -1

    Thank you for your interest in joining the GIMP Windows Advertisers of DICE* (GimpWAD)! GimpWADs worldwide are happy that you'd like to become part of our

    constantly enlarging member ship (come sail away 8======D~)

    Unlike other geek fraternities that you might have heard about, GimpWAD accepts members of all races, creeds, and colors. We don't even have a technical inclination requirement. As our founders stated in the Annals of GimpWAD, Chapter 1: "You don't have to be a geek, as long as you like it Greek." They were, of course, referring to the penis in anus style of sexual relations. Don't despair, as attaining full fabulous lifetime status in GimpWAD is easy. The only prerequisites for membership in Gay Wigger Association of DICE* are that you meet all of the following conditions:

    1. 1. Ownership of penis, anus, or both

    To submit your Gay Wigger Association of DICE* Membership Application, simply do nothing. Congratulations, you're now a GimpWAD!

    If you require a specific membership number for purposes such as framing, docking, or prestigious inclusion upon your business cards and resume, please take down this number: 69.

    Optionally, you may complete the following survey by replying to this post, indicating affirmative responses with an X in each appropriate box:

    GimpWAD Membership Survey (OPTIONAL)

    [ ] I am gay
    [ ] I am a wigger
    [ ] I have used SLASHDOT VIDEO to find a sex partner

    After completion of this optional survey, your Slashdot post ID shall serve as your unique Gay Wigger Association of DICE* membership ID.

    Your GimpWAD membership kit** is on its way.

    * GimpWAD is neither affiliated with nor endorsed by DICE.COM.

    ** GimpWAD membership kit no longer includes HIV self-test catheter.

  8. Dis is one half by xebecv · · Score: 1

    Press any key to continue ...

    1. Re:Dis is one half by Cafe+Alpha · · Score: 1

      None of my keys say "any" on them :(

  9. Will the NSA do right on their crimes? by Anonymous Coward · · Score: 0

    Or any other U.S government for that matter. I think not.

  10. The keys are legit. by Anonymous Coward · · Score: 1

    My machine was hit by this ransomware and I got lucky enough to be doing something when it happened so I had the process suspended two minutes into the attack. Only about 30 of my actually useful files were hit with most of it just being a bunch of old unneeded data.

    So when he released the keys and the rules to unencrypt them I found my key in the list, based on the data saved on the machine for exactly that purpose in case I purchased. This was both the bitcoin address I should have paid through and an XML copy of the public key.

    I then threw together a quick C# program to unencrypt the files using the method he mentioned and it worked fine and I was able to recover all the files I wanted to get back.

    Another user had a symbolic link issue that caused the ransomware program to chain encrypt a file almost 50k times and was able to chain unencrypt it using a program someone else wrote. He even turned out to be telling the truth about the ransomware unencrypting the files for free on June 2nd.

    http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/page-37

  11. Or he didn't get paid. by Anonymous Coward · · Score: 0

    Perhaps the author created this for someone else and either didn't get paid for his work, or wasn't getting his cut.