Ransomware Creator Apologizes For "Sleeper" Attack, Releases Decryption Keys

colinneagle writes: Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a "sleeper" campaign that, when the malware's creator "woke it up," encrypted the infected devices' files and charged roughly $24 in exchange for the decryption keys. This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker's creator released this message in a PasteBin post, along with a link to a file hosted on Mega.co containing the decryption keys. The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd.

However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and about $24 last week) required for the decryption keys since last week. KnowBe4 CEO Stu Sjouwerman says the files released do not appear to be malicious after brief analysis, and that "it does contain a large quantity of RSA keys and Bitcoin addresses." But he warned those interested to only open these files "at your own risk until further analyses are performed." Sjouwerman speculated that the malware creator may have been spooked by attention from law enforcement or Eastern European organized crime syndicates that are behind most ransomware campaigns.

Customer Service

That's better service then a lot of companies I intentionally do business with.... What's the would come to?

Wow, 22.88? Seriously?

[neminem]

My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files). Anyway, they asked for 500 bucks (he paid it, sadly, not that I necessarily blame him). $22.88... doesn't seem like a lot of money. I'd pay that without even thinking, if I were hit with it. $500 bucks I'd have to think more about.

Re:Wow, 22.88? Seriously?

[bill_mcgonigle]

he hasn't updated Flash in years and got hit by malvertising.

You don't have to be that bad, even. My parents' PC had Flash 12 on it and Flash 9 on it. Where did Flash 9 come from? It was installed at the same time as the updater software for their GPS device.

The whole ecosystem is toxic and hateful towards the user.

Re:Wow, 22.88? Seriously?

[nukenerd]

The man was George Bernard Shaw, playwright and society wit. The way he said it however was much more quickfire than you make it sound.

Re:Refund Bitcoin?

[sexconker]

Wild, rampant, and baseless speculation.
He could have found Jesus and decided to not be mean to people.
He could have multiple personality disorder.
He could be a dog with a computer randomly pawing at the keys.

Re:What a guy!

[tlhIngan]

Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

Honestly, it's a social skill - it requires communicating the user, or at least knowing what users want.

If you know how to do SEO, the absolutely easiest way to infect someone is offering free downloads of some commercial app. Like Office, Photoshop, even Windows. Or the keygens to it. The most common way is to wrap the keygen with your downloader so the user runs the wrapped app which then silently downloads malware while running the real keygen.

Until Google started censoring the results, you could type an app's name and the first few results would be "cracks" "keygen" "download" and "warez".

Hint: This applies for smartphone apps too. People are cheap. If they can save $1, they'll try.