Security Corner

Aug 7 2014   1:53PM GMT

Site recovers files locked by Cryptolocker ransomware

Ken Harthun Ken Harthun Profile: Ken Harthun


cryptolockerA new website has been launched that victims of the Cryptolocker malware can use to recover their files for free instead of paying the cybercrooks’ ransom.

From Krebs on Security:

…early Wednesday morning, two security firms – Milpitas, Calf. based FireEye and Fox-IT in the Netherlands — launched, a site that victims can use to recover their files.

The Cryptolocker malware was first spotted in September 2013. It uses very strong encryption to lock Microsoft Office documents, photos, MP3 files, and other files that victims may value. The unfortunate victims of the malware were faced with paying a steep ransom–usually starting at a few hundred dollars in bitcoins–to the cybercrooks. Victims were given 72 hours to pay; if they didn’t make payment in time, the ransom demand increased by five times or more, often amounting to several thousand dollars.

Only about 1.3% of victims ever paid the ransom, so most of them probably lost all of their important files. Even at such a low response, considering that the number of infected systems is probably in the range of six figures, the crooks made (are probably still making) huge profits. 1300 payments of $300 USD (the minimum payment) per 100,000 infections is $390,000.

The site provides a free new online service that can help victims unlock and recover files scrambled by the malware.

Victims need to provide an email address and upload just one of the encrypted files from their computer, and the service will email a link that victims can use to download a recovery program to decrypt all of their scrambled files.

According to Krebs, Fox-IT was able to recover the private keys that the cybercriminals were using to run their own decryption service. The firms naturally aren’t saying much about how they got their hands on the keys, but it apparently had something to do with the crooks’ attempts to recover from Operation Tovar, “an international effort in June that sought to dismantle the infrastructure that CryptoLocker used to infect PCs.”

However they did it, I say good for them. Hit the crooks where it counts–their wallets.

Follow Ken Harthun on Twitter
Follow me on Twitter

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: