By Ron Benvenisti for TLS: Referring to last week’s Brick Police article: If you’re computer has been compromised and you can no longer access important files go here: https://decryptcryptolocker.
For free keys designed to unlock systems infected by CryptoLocker
CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Payment of the ransom did not always lead to the files being decrypted.
In late May 2014 law enforcement agencies and security companies seized a network of hijacked computers used to spread both Cryptolocker and Gameover Zeus, in what was called “Operation Tovar”. The criminals attempted to send a copy of their database to a safe location, but it was intercepted by agencies already in control of part of the network. Russian Evgeniy Bogachev, aka “lucky12345” and “slavik”, was charged by the US FBI of being the ringleader of the gang behind Gameover Zeus and Cryptolocker. The database indicates the scale of the attack, and makes decryption of CryptoLocked files possible.
In August 2014 security firms involved in the shutdown, Fox-IT and FireEye, created a portal, called Decrypt Cryptolocker, which allows any of the 500,000 victims to find the key to unlock their files. Victims need to submit an encrypted file without sensitive information, which allows the unlockers to deduce which encryption key was used. It is possible that not all CryptoLocked files can be decrypted, nor files encrypted by different ransomware.
FireEye has over 2,200 customers across more than 60 countries, including over 130 of the Fortune 500.
Thanks a million for the info ….