CoinVault and Bitcryptor Ransomware Victims Can Now Recover Their Files For Free

itwbennett writes: Researchers from Kaspersky Lab and the Dutch Public Prosecution Service have obtained the last set of encryption keys from command-and-control servers that were used by CoinVault and Bitcryptor,' writes Lucian Constantin. 'Those keys have been uploaded to Kaspersky's ransomware decrypt or service that was originally set up in April with a set of around 750 keys recovered from servers hosted in the Netherlands.

Pretty Amazing Really

[SumDog]

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.

Re:Pretty Amazing Really

[Zocalo]

While it's a worthy effort, I suspect that it's mostly just a PR stunt though since I doubt very many people will actually be able to use these keys to avoid paying the ransom, given that the criminals will indeed switch to new keys pretty much overnight, potentially re-encrypting any data on PCs they have already compromised in the process if they can re-establish control via other C&C servers. Of the potential victims that could benefit from this, once you've eliminated those who have already paid the ransom, written off their data and started over, or were fortunate enough to have good backups to restore from, are there *really* going to be that many left who will also be capable of finding the site with the decryption tools on it? That we don't here the security companies trumpting the numbers of successful decryptions using recovered keys like these makes me think that there are probably not all that many.

Re:Pretty Amazing Really

[Xenna]

"While it's a worthy effort, I suspect that it's mostly just a PR stunt though since I doubt very many people will actually be able to use these keys to avoid paying the ransom, given that the criminals will indeed switch to new keys pretty much overnight, potentially re-encrypting any data on PCs they have already compromised in the process if they can re-establish control via other C&C servers."

AFAIK the guys who did it are now in jail, which makes it a lot harder to change keys. Evene if they didn't catch them all, the remaining bad guys may want to lay low for a while.

So, it looks pretty much like a success to me. Locking these guys up and retrieving the keys is pretty much the best you can do in such a case.

Re:Pretty Amazing Really

[nogginthenog]

Had quite a few customers hit with these. One was running a legacy xBase app and it even encrypted the DBF files! Luckily they had a backup only a few hours old.

Re:Pretty Amazing Really

[Zocalo]

I'm not saying it's not a success or worth doing, just that it's perhaps not *quite* the degree of success that it might seem. Keeping in mind that there likely to be lots of groups trying out this kind of scam, each using their own sets of keys and potentially also distributing them across multiple C&C servers to help mitigate against this kind of countermeasure, then the number of victims for a given C&C server is likely to be quite low to start with. According to the site iteself there are around 15,000 keys in total (the 750 mentioned in TFA was just the initial batch), although that might not correspond in any meaningful way with the number of victims or files that have been encrypted. What I'm hoping for is that Kaspersky will follow up on this with some indication of how many of those ~15,000 keys are actually used by victims of the gang to successfully recover their data, how many unique victims they identified, how many files were recovered, and so on.

Re:Pretty Amazing Really

[muphin]

The way ransomware works is it encrypts your files, sends the key to a C&C server, then deletes itself so it cannot be intercepted and key reverse engineered.
so the criminals wont be able to encrypt the files as there’s no way to communication with the infected machine.

Re:Pretty Amazing Really

[Impy+the+Impiuos+Imp]

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.

I hope they recovered the keys from the shitheads using this technique.

Re:Pretty Amazing Really

[Slashdot+Junky]

Shooting would be a problem when bad intel results in a raid of the wrong place. Plus, a dead bad guy can't assist the investigation until we can download the brain.

Re:Pretty Amazing Really

[Xenna]

Again AFAIK these schemes install a trojan on your system which generates a unique private/public key pair. The private key is sent to the C&C server and stored while the public key is used to encrypt the data and discarded after use. They could even use symmetric encryption since key exchange is not a big problem in this scenario. In any case a new key is generated for each victim and sent back to the C&C server. If this is true, the 15000 keys would correspond to the number of victims (not files).

Re:Pretty Amazing Really

[f3rret]

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.

The droppers for these things are usually based in websites, no clicking on sketchy attachments required. Simply a plausible(ish) looking e-mail from a plausible(ish) sounding organization with a link to a site that will use a browser exploit of some kind and drop the thing onto the computer.

Hats off to Kaspersky

they are truly good guys. Most of their competitors, F-Secure being the exception I guess, would have charged money for this service, or not even bother in the first place.

Re:750 keys

[p.g.king]

it's a download https://noransom.kaspersky.com...

Much Respect!

[JustAnotherOldGuy]

A big salute to the people at Kaspersky Labs and the Dutch Public Prosecution Service.

Talk about earning goodwill, these guys (and gals) just banked a mountain of it as far as I'm concerned.

Re:Much Respect!

[plover]

This certainly isn't their only cool act of public service, either. I saw one of the Dutch guys presenting an interesting topic at Black Hat: How to preserve a powered on system during a raid using mouse jigglers and UPSes, and collecting forensic evidence while preserving chain of custody, good practical advice. The BH crowd eats that stuff for breakfast, but he was providing info that is useful to help train non-technical officers executing a warrant.