Ransomware “Locker” automatically decrypts all affected files, after its creator is struck by conscience


16933625_sNew ransomware variants emerge regularly but here is an odd story of a ransomware author who actually repented his actions. The ransomware “Locker” was discovered and analyzed by Bleeping Computer with the help of the Emsisoft research team. Unlike other ransomware samples, Locker did not encrypt the files of the user immediately. Instead, it lay dormant until May 25th after which it began its hideous operations. Like most other ransomware, Locker encrypts the user’s files and then demands payment in bitcoin. The ransom amount is also increased if the user fails to pay the original amount within a stated time. In a surprising turnaround however, the creator of this ransomware posted an apology a few days after its release, promising that affected files on all infected computers would automatically be decrypted on 2nd June. Although it may sound bizarre, based on the reports, the automatic decryption did actually take place.

Ransomware infects system through a “daisy-chain” installation

As stated by Bleeping Computer:

“Locker appears to be installed via a dropper that creates a daisy-chain installation of various Windows services that ultimately launches the Locker screen.”

The primary dropper is placed in C:WindowsSyswow64 with a random name. Then, a “Steg” service is created in C:ProgramDataSteg. After that, tor is installed in the Program Data folder in order to enable anonymous communication.

Finally, the locker user interface is launched with a random version number like Locker v1.7, Locker v3.5.3, Locker V2.16, or Locker V5.52.

Locker User Interface (Source- http://www.bleepingcomputer.com)

On a specific date and time (midnight, May 25th) the ransomware begins its operations and encrypts the victim’s data files. The malware also deletes all Shadow Volume Copies in order to prevent the user from restoring any of the encrypted files that way.

Malware author demands ransom and then offers apology and free decryption!

The demanded ransom was 0.1 bitcoin, which is only about US$ 22 but the amount was increased to 1 bitcoin (ten times the original) if the payment was not made within 72 hours. However, the story didn’t end there. In a surprising turn of events, the creator of the ransomware actually posted a public apology on pastebin on 30th May. The post stated:

“I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.
I uploaded the database to mega.co.nz containing “bitcoin address, public key, private key” as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.”

The hacker also promised that automatic decryption would commence on all affected systems soon, and it turns out that actually did happen. This was the decryption message window:

LockerDecrypt_LOB

Decryption message (Source- http://www.bleepingcomputer.com)

This kind of behavior gives rise to several interesting questions. Was the hacker really struck by conscience? Was the release of the malware truly unintentional? Or did the hacker simply realize that the plan wasn’t foolproof and may have backfired if not withdrawn?

Either way, the good news is, there is one less ransomware for users to worry about and the already affected victims are getting an easy escape.

The threats posed by ransomware and best policies to help avoid them

Ransomware is one of the fastest growing malware families, with several new variants coming up regularly. Given the direct monetary benefit, this is not a surprise. Research shows that some of the popular ransomware variants end up earning over US$ 2000. The crooks behind such threats make enormous profits, thus fueling their malicious intentions. Most users pay the attackers out of fear of losing their precious files. Your data is valuable, but the key is to not to get trapped in this hostage scenario in the first place. Below are some tips to help avoid such an undesirable situation:

Although there are decryptors for many ransomware variants, prevention is always better than cure.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a nice (ransomware-free) day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next