Ransomware “Locker” automatically decrypts all affected files, after its creator is struck by conscience

16933625_sNew ransomware variants emerge regularly but here is an odd story of a ransomware author who actually repented his actions. The ransomware “Locker” was discovered and analyzed by Bleeping Computer with the help of the Emsisoft research team. Unlike other ransomware samples, Locker did not encrypt the files of the user immediately. Instead, it lay dormant until May 25th after which it began its hideous operations. Like most other ransomware, Locker encrypts the user’s files and then demands payment in bitcoin. The ransom amount is also increased if the user fails to pay the original amount within a stated time. In a surprising turnaround however, the creator of this ransomware posted an apology a few days after its release, promising that affected files on all infected computers would automatically be decrypted on 2nd June. Although it may sound bizarre, based on the reports, the automatic decryption did actually take place.

Ransomware infects system through a “daisy-chain” installation

As stated by Bleeping Computer:

“Locker appears to be installed via a dropper that creates a daisy-chain installation of various Windows services that ultimately launches the Locker screen.”

The primary dropper is placed in C:\Windows\Syswow64 with a random name. Then, a “Steg” service is created in C:\ProgramData\Steg. After that, tor is installed in the Program Data folder in order to enable anonymous communication.

Finally, the locker user interface is launched with a random version number like Locker v1.7, Locker v3.5.3, Locker V2.16, or Locker V5.52.

Locker User Interface (Source- http://www.bleepingcomputer.com)

On a specific date and time (midnight, May 25th) the ransomware begins its operations and encrypts the victim’s data files. The malware also deletes all Shadow Volume Copies in order to prevent the user from restoring any of the encrypted files that way.

Malware author demands ransom and then offers apology and free decryption!

The demanded ransom was 0.1 bitcoin, which is only about US$ 22 but the amount was increased to 1 bitcoin (ten times the original) if the payment was not made within 72 hours. However, the story didn’t end there. In a surprising turn of events, the creator of the ransomware actually posted a public apology on pastebin on 30th May. The post stated:

“I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.
I uploaded the database to mega.co.nz containing “bitcoin address, public key, private key” as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.”

The hacker also promised that automatic decryption would commence on all affected systems soon, and it turns out that actually did happen. This was the decryption message window:

LockerDecrypt_LOB

Decryption message (Source- http://www.bleepingcomputer.com)

This kind of behavior gives rise to several interesting questions. Was the hacker really struck by conscience? Was the release of the malware truly unintentional? Or did the hacker simply realize that the plan wasn’t foolproof and may have backfired if not withdrawn?

Either way, the good news is, there is one less ransomware for users to worry about and the already affected victims are getting an easy escape.

The threats posed by ransomware and best policies to help avoid them

Ransomware is one of the fastest growing malware families, with several new variants coming up regularly. Given the direct monetary benefit, this is not a surprise. Research shows that some of the popular ransomware variants end up earning over US$ 2000. The crooks behind such threats make enormous profits, thus fueling their malicious intentions. Most users pay the attackers out of fear of losing their precious files. Your data is valuable, but the key is to not to get trapped in this hostage scenario in the first place. Below are some tips to help avoid such an undesirable situation:

  • Do not let cybercriminals use your data as hostage. Keep regular backups of your important files in external storage drives. For smaller files you can also use cloud storage.
  • Always keep your anti-malware program up to date with realtime protection turned on. Ransomware programs are detected by security products and will be blocked automatically.
  • Do not run unknown executables. Since these types of files can make major changes to your system, it is always a good idea to think twice before running them.
  • Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

Although there are decryptors for many ransomware variants, prevention is always better than cure.

Have a nice (ransomware-free) day!

  • Sachin

    it doesnt work for me decrypt the files.Bogus for me

  • Josh Javage

    SandBoxie well worth the investment.