CoinVault and Bitcryptor Ransomware Victims Can Now Recover Their Files For Free (itworld.com)

← Back to Stories (view on slashdot.org)

CoinVault and Bitcryptor Ransomware Victims Can Now Recover Their Files For Free (itworld.com)

Posted by timothy on Saturday October 31, 2015 @12:22AM from the slightly-less-evil-in-the-world dept.

itwbennett writes: Researchers from Kaspersky Lab and the Dutch Public Prosecution Service have obtained the last set of encryption keys from command-and-control servers that were used by CoinVault and Bitcryptor,' writes Lucian Constantin. 'Those keys have been uploaded to Kaspersky's ransomware decrypt or service that was originally set up in April with a set of around 750 keys recovered from servers hosted in the Netherlands.

32 comments

Min score:

Reason:

Sort:

Pretty Amazing Really by SumDog · 2015-10-31 00:43 · Score: 4, Interesting

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.
1. Re:Pretty Amazing Really by Anonymous Coward · 2015-10-31 00:53 · Score: 0
  
  I'm guessing they automated the collection and recovery process for the keys. If you had someone manually collecting the private keys and storing them offsite, encrypted again, wiping memory behind, you'd be in trouble.
2. Re:Pretty Amazing Really by Zocalo · 2015-10-31 01:19 · Score: 4, Interesting
  
  While it's a worthy effort, I suspect that it's mostly just a PR stunt though since I doubt very many people will actually be able to use these keys to avoid paying the ransom, given that the criminals will indeed switch to new keys pretty much overnight, potentially re-encrypting any data on PCs they have already compromised in the process if they can re-establish control via other C&C servers. Of the potential victims that could benefit from this, once you've eliminated those who have already paid the ransom, written off their data and started over, or were fortunate enough to have good backups to restore from, are there *really* going to be that many left who will also be capable of finding the site with the decryption tools on it? That we don't here the security companies trumpting the numbers of successful decryptions using recovered keys like these makes me think that there are probably not all that many.
  
  --
  UNIX? They're not even circumcised! Savages!
3. Re:Pretty Amazing Really by Xenna · 2015-10-31 02:13 · Score: 4, Insightful
  
  "While it's a worthy effort, I suspect that it's mostly just a PR stunt though since I doubt very many people will actually be able to use these keys to avoid paying the ransom, given that the criminals will indeed switch to new keys pretty much overnight, potentially re-encrypting any data on PCs they have already compromised in the process if they can re-establish control via other C&C servers."
  AFAIK the guys who did it are now in jail, which makes it a lot harder to change keys. Evene if they didn't catch them all, the remaining bad guys may want to lay low for a while.
  So, it looks pretty much like a success to me. Locking these guys up and retrieving the keys is pretty much the best you can do in such a case.
4. Re:Pretty Amazing Really by nogginthenog · 2015-10-31 02:24 · Score: 2
  
  Had quite a few customers hit with these. One was running a legacy xBase app and it even encrypted the DBF files! Luckily they had a backup only a few hours old.
5. Re:Pretty Amazing Really by Kjella · 2015-10-31 02:34 · Score: 1
  
  From what I understand these trojans give you a countdown timer before they wipe the key, so I think very few would keep an encrypted system around past that date on the very unlikely chance that the keys will be found somehow. People might drag their feet while the timer is running, but afterwards I expect 99.9%+ will fix their computer wiping the encrypted drive in the process.
  
  --
  Live today, because you never know what tomorrow brings
6. Re:Pretty Amazing Really by Zocalo · 2015-10-31 02:46 · Score: 2
  
  I'm not saying it's not a success or worth doing, just that it's perhaps not *quite* the degree of success that it might seem. Keeping in mind that there likely to be lots of groups trying out this kind of scam, each using their own sets of keys and potentially also distributing them across multiple C&C servers to help mitigate against this kind of countermeasure, then the number of victims for a given C&C server is likely to be quite low to start with. According to the site iteself there are around 15,000 keys in total (the 750 mentioned in TFA was just the initial batch), although that might not correspond in any meaningful way with the number of victims or files that have been encrypted. What I'm hoping for is that Kaspersky will follow up on this with some indication of how many of those ~15,000 keys are actually used by victims of the gang to successfully recover their data, how many unique victims they identified, how many files were recovered, and so on.
  
  --
  UNIX? They're not even circumcised! Savages!
7. Re:Pretty Amazing Really by plover · 2015-10-31 03:39 · Score: 1
  
  I would be surprised if they wipe the keys as fast as the countdown timers claim. Once they wipe a key, they can make 0 money from it. It would be smarter to threaten to jack the rates: "pay us by Tuesday or we double the ransom."
  These guys provided 14,000 keys to Dutch law enforcement. It sure sounds like they didn't wipe them.
  
  --
  John
8. Re:Pretty Amazing Really by Anonymous Coward · 2015-10-31 06:37 · Score: 0
  
  AFAIK the guys who did it are now in jail, which makes it a lot harder to change keys. Evene if they didn't catch them all, the remaining bad guys may want to lay low for a while.
  If only we had a tool that could be set to automatically perform tasks like generating new keys and re-encrypting data on a timed basis.
9. Re:Pretty Amazing Really by Anonymous Coward · 2015-10-31 07:46 · Score: 0
  
  Frequent (weekly in my case) backups swapping between 2 USB hard drives is the best defence against this sort of thing. I have one drive local and one off-site, and swap them weekly. I also have the same data on my two laptops as I have on my desktop PC. One laptop is used infrequently at home, the other is only used when I go to friend's homes, and is very seldom connected to my home network.
  It is highly unlikely that all three computers and both backups could be affected at the same time. I do not open email attachments of any kind no matter who they say they are from, And all of my web surfing is done in Linux, lessening the chances even further. I have noscript, adblock plus (with all ads blocked) and privacy badger installed.
  Do I seem a little paranoid about this stuff? Well, you have to be these days!
10. Re:Pretty Amazing Really by muphin · 2015-10-31 09:32 · Score: 2
  
  The way ransomware works is it encrypts your files, sends the key to a C&C server, then deletes itself so it cannot be intercepted and key reverse engineered.
  so the criminals wont be able to encrypt the files as there’s no way to communication with the infected machine.
  
  --
  It's not a typo if you understood the meaning!
11. Re:Pretty Amazing Really by Impy+the+Impiuos+Imp · 2015-10-31 11:24 · Score: 2
  
  I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.
  I hope they recovered the keys from the shitheads using this technique.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
12. Re:Pretty Amazing Really by Anonymous Coward · 2015-10-31 17:30 · Score: 0
  
  Locking these guys up and retrieving the keys is pretty much the best you can do in such a case.
  Shooting them all in the raid might not be that bad an outcome either.
13. Re:Pretty Amazing Really by Slashdot+Junky · 2015-11-01 02:05 · Score: 2
  
  Shooting would be a problem when bad intel results in a raid of the wrong place. Plus, a dead bad guy can't assist the investigation until we can download the brain.
  
  --
  .
  Landfill Mining Co.
  Managing the (Un)natural Resources of Tomorrow
14. Re:Pretty Amazing Really by Xenna · 2015-11-01 02:38 · Score: 2
  
  Again AFAIK these schemes install a trojan on your system which generates a unique private/public key pair. The private key is sent to the C&C server and stored while the public key is used to encrypt the data and discarded after use. They could even use symmetric encryption since key exchange is not a big problem in this scenario. In any case a new key is generated for each victim and sent back to the C&C server. If this is true, the 15000 keys would correspond to the number of victims (not files).
15. Re:Pretty Amazing Really by f3rret · 2015-11-01 06:09 · Score: 2
  
  I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.
  The droppers for these things are usually based in websites, no clicking on sketchy attachments required. Simply a plausible(ish) looking e-mail from a plausible(ish) sounding organization with a link to a site that will use a browser exploit of some kind and drop the thing onto the computer.
  
  --
  Admit nothing. Deny Everything. Make Counter-accusations.
16. Re:Pretty Amazing Really by Anonymous Coward · 2015-11-01 07:24 · Score: 0
  
  What about the DMCA?
Hats off to Kaspersky by Anonymous Coward · 2015-10-31 00:45 · Score: 3, Interesting

they are truly good guys. Most of their competitors, F-Secure being the exception I guess, would have charged money for this service, or not even bother in the first place.
1. Re:Hats off to Kaspersky by quantaman · 2015-10-31 13:35 · Score: 1
  
  they are truly good guys. Most of their competitors, F-Secure being the exception I guess, would have charged money for this service, or not even bother in the first place.
  Full marks to them them for doing this though they're not exactly perfect. It's only been two months since it came out that they were tricking competitors' products into identifying legitimate software as malware, just like most big companies sometimes they're awesome, sometimes they're terrible.
  
  --
  I stole this Sig
But think of the cost... by Anonymous Coward · 2015-10-31 00:51 · Score: 0

Think of how much it cost for this Slashvertisement.
Something isn't adding up here.
1. Re:But think of the cost... by pjt33 · 2015-10-31 02:00 · Score: 1
  
  They can't have paid that much, given that they didn't manage to not insert an unwanted space in the word "decryptor". (Unless that was added by the "editor", of course).
2. Re:But think of the cost... by Anonymous Coward · 2015-10-31 03:19 · Score: 0
  
  Err.. the 'edit or' you mean.
  TIFIFY
750 keys by Lennie · 2015-10-31 01:42 · Score: 1

So the article says it's 750 keys.
Why do they have a decryption service ?
Why do we need to upload files ? Which could be a privacy problem, annoying when dealing with large numbers of files or large files.
Why not publish the keys ?
And maybe make a small program to make it easier to decrypts files.

--
New things are always on the horizon
1. Re:750 keys by p.g.king · 2015-10-31 02:17 · Score: 5, Informative
  
  it's a download https://noransom.kaspersky.com...
Much Respect! by JustAnotherOldGuy · 2015-10-31 03:27 · Score: 3, Insightful

A big salute to the people at Kaspersky Labs and the Dutch Public Prosecution Service.
Talk about earning goodwill, these guys (and gals) just banked a mountain of it as far as I'm concerned.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Much Respect! by plover · 2015-10-31 03:50 · Score: 4, Interesting
  
  This certainly isn't their only cool act of public service, either. I saw one of the Dutch guys presenting an interesting topic at Black Hat: How to preserve a powered on system during a raid using mouse jigglers and UPSes, and collecting forensic evidence while preserving chain of custody, good practical advice. The BH crowd eats that stuff for breakfast, but he was providing info that is useful to help train non-technical officers executing a warrant.
  
  --
  John
Decryption even possible? by Anonymous Coward · 2015-10-31 05:45 · Score: 1

I dont see why this is even an option. Randomly fry your files, claim encryption, hold for ransom, get money, vanish. Its not like they are operating legally anyway....
1. Re:Decryption even possible? by Anonymous Coward · 2015-11-07 12:07 · Score: 0
  
  If they do that, then it will quickly spread that it is a scam and there is no point paying them. Sure not everyone will find that out before paying, but it would probably significantly reduce their potential income.
Compare that to FBI's Bonavolonta by Anonymous Coward · 2015-10-31 05:59 · Score: 1

http://finance.yahoo.com/news/fbi-recommends-pay-hackers-infect-185625373.html
Joseph Bonavolonta, the Assistant Special Agent who oversees the FBI’s CYBER and Counterintelligence Program in Boston, spoke at the 2015 Cyber Security Summit and advised that companies infected with ransomware may want to give in to the criminal’s demands.
“The ransomware is that good,” Bonavolonta explained to an audience of business and technology leaders during the Q&A. “To be honest, we often advise people just to pay the ransom.”