Ransomware Gives Victims A 'Late Pay' Option To Recover Files
November 4, 2013

Ransomware Gives Victims A ‘Late Pay’ Option To Recover Files

Michael Harper for redOrbit.com - Your Universe Online

Some PC users have recently had their systems infected with a new batch of “ransomware,” a virus that holds files for ransom until the owner pays the creator of the software and receives a digital key. The owners of this new virus, called CryptoLocker, have been asking their victims to pay $300 to $700 within 96 hours. Failure to do so would result in files becoming lost forever, claimed the virus operators.

Now the security experts at Sophos say they’ve heard some victims are being given a second chance to have their files unlocked after the 96-hour window has passed, but at a hefty markup. What once cost 2 bitcoins now cost 10, and the new decryption method takes up to 24 hours to complete.

Many PC owners who had their files effectively kidnapped were not keen on being asked to pay to have their digital possessions returned to them. One redOrbit reader went into colorful detail in an email explaining how he/she would avoid paying the virus developers, saying: “I will format and re-install and in the absence of that I will tear the drive apart, destroy the platters and start over.”

Victims who had backups — particularly off-site backups — were reportedly able to wipe their machine clean and start again with a clean backup. However, some with automated backups could have found themselves backing up files that had been encrypted by the CryptoLocker virus, thereby making the backup less than helpful.

There were some who said they simply paid the ransom to receive a key and unlock their files. At present it seems the malware operators are sticking to their word and handing over the decryption key once payment is received and not re-infecting machines once the ransom has been paid.

PC owners have been downloading the CryptoLocker ransomware after clicking on a link in an email they believe to be from DHS, FedEx, UPS and the like. The link is said to be to a PDF form that needs to be filled out, completed and kept in the office. When this link is clicked it opens an executable file and downloads the virus to the PC. Once downloaded, CryptoLocker begins rooting through the files and encrypts them with a method known as asymmetric encryption. In this method, the PC owner cannot decrypt the files unless they have both the public and private key to do so. The private key, however, is held by the virus operator. Until recently, the operators claimed all private keys would be destroyed if payment was not made within 96 hours, thereby rendering all files locked with the public key forever scrambled.

“The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files,” reads the threat victims see after their files are initially locked up with CryptoLocker.

It seems the virus operators are going back on their word by offering the Decryption Service, but users who choose this option will be paying five times as much as was originally asked and will likely spend many hours waiting to access their files. The Decryption Service website claims the first 1024 bytes of every file the owner wishes to decrypt is sent to the CryptoLocker servers to find a match.

This, says Paul Ducklin of the Naked Security blog, essentially requires the virus operators to execute a brute force attack on themselves as they match the files info with what they have on record. It’s also suggested that the 24 hours does not count against the original 96 hours the operators enforce on their victims, meaning this is a last chance option.

It’s still recommended, of course, to avoid paying the cyber-thieves at all costs. Though they have so far been faithful to hand out private keys, paying them also means they have an effective business model and could encourage them to continue infecting computers.