Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

CryptoLocker developers charge 10 bitcoins to use new Decryption Service


  • Please log in to reply
64 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 02 November 2013 - 07:21 AM

The developers behind the file encrypting ransomware called CryptoLocker launched yesterday a dedicated decryption service that allows you to purchase the decryption key for encrypted files. The price for the decryption key, though, has been significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD.
 

decryption-service.jpg


For those users who are affected by CryptoLocker and did not have a backup, trying to pay the ransom has been a difficult process. This is because antivirus programs remove the infection or the registry key that is required to pay the ransom and decrypt the files. It appears that the malware developers were listening, as they have now implemented a decryption service that is designed to look like a customer support site. This service is available by connecting directly to a Command & Control server's IP address or hostname or through Tor via the f2d2v7soksbskekh.onion/ address.

Infected users can use this service to upload a CryptoLocker encrypted file and have your "order" looked up. If your order is found, it will display the date that your computer was infected and your public key. It will then prompt you to purchase the private key by sending 10 bitcoins or approximately $2,120 USD. Once a payment is made it must have 10-15 bitcoin confirmations before your private key and a decrypter will be made available for download. They further state that if you have previously paid the ransom, they will provide the private key and decrypter to you for free.
 

decryption-server-order-found.jpg


In the past, users were able to use the main CryptoLocker program to decrypt their files by paying 2 bitcoins. If an AV program deleted the infection, as long as they had the required registry key, they could download the infection as a file called 0388.exe and run it again to pay the ransom. At this time, the 0388.exe files are now longer available for download. Due to this, it is unsure as of yet if this new decryption service, and the price of 10 bitcoins, will become the new cost decryption if the infection is removed.

More information about this infection can be found in the CryptoLocker Ransomware Information Guide and FAQ.

Update: 11/4/2013:

The decryption service now still allows you to pay 2 bitcoins during your normal 3 day timer period. After that period, the price increases to 10 bitcoins.

new-decryption-order.jpg

BC AdBot (Login to Remove)

 


#2 jgg

jgg

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 02 November 2013 - 06:04 PM

Wow!.  Who ever these guys are, they certainly know how to get the most bang per buck.

 

Basically if you don't have a backup in place, and are running Windows XP, therefore unable to run Shadow Explorer, and your anti virus has removed the virus, it's going to cost you a sml fortune if you want your data back.

 

Unbelievable..



#3 Fremont PC

Fremont PC

  •  Avatar image
  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 02 November 2013 - 10:16 PM

Not even VSS covers all your files, just those that you've recently changed. Backups with offsite copies is the best fallback position, and you'd better be able to go back further than a week. 

 

Has anybody worked up the economic impact spectrum on this? Has anyone heard of any major corps being hit with this, or is it more SMBs?



#4 CrankyFrank

CrankyFrank

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 03 November 2013 - 10:12 AM

I work with some large businesses out there that do not have a data backup plan or disaster recovery. This is scary. I see the CL developers becoming very rich from this.



#5 Fremont PC

Fremont PC

  •  Avatar image
  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 03 November 2013 - 10:38 AM

"I work with some large businesses out there that do not have a data backup plan or disaster recovery."

 

That... is insane. They could have at least SOME kind of data backup for what would to them be pocket change. 



#6 kenjancef

kenjancef

  •  Avatar image
  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:04:22 AM

Posted 04 November 2013 - 08:29 AM

I work with some large businesses out there that do not have a data backup plan or disaster recovery. This is scary. I see the CL developers becoming very rich from this.

 

I have been in IT support for over 13 years, and it's hard to believe that in this day and age that large businesses don't have ANY sort of backup/disaster plan in place. The first thing we would do with new clients is prepare some sort of backup routine, and make DEFINITELY sure that we use a program that would send us daily alerts of the status of the backups. Sure it clogged our email boxes at times, but it's nice to see when backups fail so we can get on it and fix it.

 

And now with this crap out there it makes it worse. At home on my wife's computer I have a 64GB thumb drive that I use for her backups, that way there is no drive letter available for the backup until I actually connect the drive. Luckily she doesn't have much data. I use a Mac, so I'm all set, for now.....

 

I just can't believe how nasty this infection is. I've been dealing with viruses since the 90's. I used to have a floppy (does anyone even know what that is anymore...?) that had a bunch of infections on it for testing, like the Cascade virus, and it's just amazing how much this crap has progressed.

 

I'll keep reading these forum posts about Cryptolocker just in case I find anyone infected. Thanks to all of you for the information!!!

 

Ken



#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 04 November 2013 - 08:39 AM

In consulting, I found one of the hardest services to get a client to invest in was adequate backup and security. These services are typically only focused on after some disaster strikes.

The huge problem with this infection is that many of the more affordable backup services simply backup the original file to an external drive and then create delta files going forward that contain the versioning information. As these external drives are mounted, CryptoLocker will encrypt the original backed up files on the external drive and thus make the versioning useless as they don't have a good baseline file to restore from.

The only true backup solution that will protect you from this is possibly tape drives, NAS drives that are connected via UNC paths, backups that store the files in a database or change the file extension, or cloud based backups.

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

#8 kenjancef

kenjancef

  •  Avatar image
  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:04:22 AM

Posted 04 November 2013 - 09:08 AM

Very true about backups. We would always ask new clients what their backup strategy is, and the most common reply was that they didn't have one, or they would backup maybe once a week or so. So if they couldn't afford a full-featured backup solution, we would just do our best with what they had, which almost always involved an external drive with a drive letter mapping. Won't help much with Cryptolocker though...

 

I read someone mentioning the Windows Backup on Windows servers, and that they don't require a drive letter. Before I left the IT job I had a few years ago we were messing with that, and I would think it would work since there is no drive letter mapping involved. But in any server installation we did tape backups, so that helped as well.

 

Automation is very important too, because even now the last thing on any employees mind is backups, so to have them do it manually is pretty much useless. If the client wanted an external drive, we would set up a program like GoodSync to automate the backups. Again, we had to pretty-much do with what they had, or what they would pay for, no matter how much we begged them for a better solution.

 

Then there is the subject of educating the employees about attachments....

 

A never-ending battle....



#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 04 November 2013 - 10:34 AM

Then there is the subject of educating the employees about attachments....
 
A never-ending battle....


Agreed. Backups and education would make this infection a non-issue.

#10 rosseloh

rosseloh

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 04 November 2013 - 10:57 AM

Has anybody worked up the economic impact spectrum on this? Has anyone heard of any major corps being hit with this, or is it more SMBs?

 

I won't be surprised if this changes or has changed, but two weeks ago we had one of our customers get hit by Crypto. One lady opened the attachment, and nothing happened (since it encrypts silently), then forwarded it to a coworker and asked if she could try it too

 

The upside - they were only encrypted once, which is why I wanted to comment. I think there's a safeguard built in that prevents multiple encryptions on the same static IP, at least if it's in a short time frame. This leads me to believe that big corporations may have been hit, but it wasn't as big as it could have been since these companies were smart and only part of their stuff got encrypted - and only by one user.

 

I'm just guessing here, of course. I have no evidence either way.

 

 

 

Then there is the subject of educating the employees about attachments....
 
A never-ending battle....


Agreed. Backups and education would make this infection a non-issue.

 

 

This is especially fun at our shop since we aren't IT for any one company, but many of them around town. About all we can do is send out a warning email and hope they take our advice on getting a good backup solution at some point.



#11 kenjancef

kenjancef

  •  Avatar image
  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:04:22 AM

Posted 04 November 2013 - 11:02 AM


This is especially fun at our shop since we aren't IT for any one company, but many of them around town. About all we can do is send out a warning email and hope they take our advice on getting a good backup solution at some point.

 

 

I used to be a tech for a small IT company that has about 40-50 clients, but now I am IT for a school system. Not sure which one is worse... lol... And I just started at the school system so still learning about their infrastructure. So far we've had no hits, which is good... and the IT staff here seems good, so as of now I'm thinnking they have proper plans in place.


Edited by kenjancef, 04 November 2013 - 11:03 AM.


#12 raj1234

raj1234

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 November 2013 - 11:25 AM

    We paid originally and it decrypted files. But some files are still encrypted. I tried tor project and uploaded the file. After this, within a minute it came up saying "This file is not encrypted, Please select another file"

 

    Has Virus damaged our files, permanently?



#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 04 November 2013 - 11:43 AM

Hi Raj,

I wish I could help you further, but unfortunately I have no further insight other than what I reported. Have you tried multiple files?

#14 raj1234

raj1234

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 04 November 2013 - 11:47 AM

Basically,  I have tried multiple files, which are still encrypted, but same message.

 

On the other hand if I try a file that was originally encrypted and later decrypted, in it's encrypted form, it does process the order. But it's of no use, as we have already decrypted these files.

 

Do you know, if there is a tool for older version of cryptolocker, we tried 0388 tool, with private and public key already.



#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:22 AM

Posted 04 November 2013 - 11:57 AM

I have an older version. I will pm you privately. Make sure all decrypted files are backed up and that you are not connected to any mapped network shares when you run it.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users