Dr.Web quietly decrypting TorrentLocker for paid customers or distributors

It appears that for the past 4 months, Dr.Web has been quietly decrypting TorrentLocker encrypted files for their paid customers. I am not going to begrudge a company for trying to make money off their hard work and would have happily referred victim's to their site to purchase a $30 USD license if it could get their files back. What I find strange, though, is the complete lack of public information about their ability to decrypt the files and their refusal to respond to queries by myself and other members of the security community.

 

Previous Analysis of the ransomware shows that each victim has its own unique AES decryption key that is used to decrypt their files. That would mean that the only way to decrypt encrypted files would be to have access to the decryption keys from TorrentLockers Command & Control server. Due to this, it came as a surprise when in May 2015, a member named Wallak posted that paying customers of Dr.Web products were able to get their files decrypted for free.
 

Ok guys, seems that Dr.Web Russian antivirus has a solution. Some of my web visitors have confirmed that buying some product (antivirus, internet security suite, etc...) customers have a FREE tool to decrypt the files (a DOC file must be sent to the experts to get back the KEY with their tool to decrypt).
It works, I checked it, and also the KEY the send put inside (patching) the decrypters from the pirates, also work, so it is the real KEY.

Wallak further stated that he heard about this from Dr.Web partners in Spain.
As this seemed suspicious that a well-known company would have the ability to help victims and was not making it public, we were suspicious of this post. I therefore decided to reach out to Dr. Web and try to get confirmation. I emailed them and explained how we are trying to get information about whether they could actually decrypt TorrentLocker files before we referred visitors to them. To my surprise, I received a response back from Boris Sharov, the CEO of Dr.Web, who said they do not classify ransomware by their name, but rather by their own designation. He said I could send some files in and someone would get back to me whether or not they could decrypt it. I sent some files, waited 10 days, emailed them again about it, and never heard back.

Today, someone else posted on BleepingComputer.com about an Italian site called www.decryptolocker.it that states that it can help get the decryption program for victims affected by TorrentLocker and CryptoL0cker. It further explains that they are a distributor of Dr.Web and are able to work with them to get a decryption program made if you send a couple of encrypted files in. This site does not require you to purchase a Dr.Web license.

 

A sample of one of these Dr.Web decryption programs called te225decrypt is shown below.

 

Overall, this whole revelation has been welcome, surprising, confusing, and suspicious all rolled into one. The fact that they never responded to queries from myself and others, never publicly announced that they were able to decrypt this ransomware, and we have only heard about it through distributors just feels odd.

Regardless, this is still welcome news for those affected by the TorrentLocker ransomware and we hope that you will be able to use Dr.Web to recover your files. As for Dr.Web, we would still love to see some official reply from them regarding this.

Hmm that does seem kind of odd!!

They're able to get the private key... How?

I can see why you find this suspicious. It conjures up some pretty crazy theories, at least in my mind. Personally, I hope those theories are all false, and they just have some really smart people working for them.

Something is off...

Maybe they found a weakness in the encryption. It wont be the first someone analyzed a malware and missed something that others saw. Just found it odd that never responded to queries regarding it.

Yeah kinda seems fishy to me. I mean why not advertise if you and you only have been able to break such encryption.

Creator and Saviour of the same affliction is not unheard of. Who knows but them.

Maybe they hacked the hackers and got the key that way

I do not think they are affiliated in any way with the malware devs. Dr.Web is a legit company. Just strange that so many people are affected by this ransomware and they have remained silent about it.

Hell, I wouldn't have cared as much if they said they could help, but people would have to buy a license of their software. At least it would have been a hell of a lot cheaper.

I know several people and 1 company that would have gladly paid Dr Web $ 100 for a license instead of paying the bad guys up to $1000.  It could be quite a little gold mine for them, Strange.

That just seems fishy to me...

 

Regardless, if it works and you really need your data, then I would pay the 100 bucks and pray it works (this is why backups on external drives are a good thing folks!)

I do not think they are affiliated in any way with the malware devs. Dr.Web is a legit company. Just strange that so many people are affected by this ransomware and they have remained silent about it.

Hell, I wouldn't have cared as much if they said they could help, but people would have to buy a license of their software. At least it would have been a hell of a lot cheaper.

The only reason I can think is that they would think that people would think badly of them for requiring people to buy a licence in order to decrypt file (rather than offering it for free), hence the keeping quiet.
 
xXToffeeXx~

   Fishy, maybe, but we do not know. Seems that I remember there were a couple of occasions when Crypto-criminals had holes in their programs and the discussion about it got into the open press. It was not long after that when there was a new unbreakable version of the malware. That was my initial thoughts and if that is Dr. Web's reason for not being forthcoming, they may be justified. Just saying. 

   As for trust, and I will not be disappointed if this post is pulled but, Dr. Web is not a company that I would endorse at the same level as MalwareBytes or Unchecky, lets say. However, the experience goes back to Win98SE/Me/early WinXP era and I have not researched it since then. I would never accuse them of being fully forthcoming and that may be the means they maintain some of the proprietary hold on their products.

   I would suggest that we should not convict Dr. Web without having solid evidence of malfeasance. If, in fact, they can break encryption of certain forms of ransomware, it leads me to believe that we do not understand the encryption as well as we should. It certainly compels me to investigate its vulnerabilities ever more profoundly. 

   If my business needed their assistance and the criminals had asked $1K for the key, I would gladly pay Dr. Web the same $1K or even $5K for a solution. The point is that when dealing with criminals, it leads to more blackmail or extortion. When dealing with legit companies, the fear of that is greatly relieved.

Fishy, maybe, but we do not know. Seems that I remember there were a couple of occasions when Crypto-criminals had holes in their programs and the discussion about it got into the open press. It was not long after that when there was a new unbreakable version of the malware. That was my initial thoughts and if that is Dr. Web's reason for not being forthcoming, they may be justified. Just saying.

There is one thing to say that we can decrypt it and another to explain how they are doing it. It was only those times that the companies actually released the flaw that the flaw was fixed. Those that just fixed without disclosing how, were not.

This is a good scoop!

 

Historically I have used Dr.Web a number of times to boot into and clean an infected machine. In this respect I hold them in high regard - tool works well.

 

The question that leaves a bad taste (that most may be thinking after reading this) is that as the origin of most underworld and these ransomware programs lead us back to russia, which is where the elephant in the room occurs. Dr.Web is a russian company so how are they obtaining the key in an ad-hoc fashion, and why are they content with helping out as long as they get a licence fee from the unfortunate issue..?

It seems logical in some way that they would keep this on the low. By announcing it loudly the flood of victims would pile up at their door and attract attention from the malware developers.

 

There's no shortage of people to assist with these infections, so just helping those they can rather than broadcasting their service might be more effective at helping people.