Ransomware Creator Apologizes For "Sleeper" Attack, Releases Decryption Keys

colinneagle writes: Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a "sleeper" campaign that, when the malware's creator "woke it up," encrypted the infected devices' files and charged roughly $24 in exchange for the decryption keys. This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker's creator released this message in a PasteBin post, along with a link to a file hosted on Mega.co containing the decryption keys. The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd.

However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and about $24 last week) required for the decryption keys since last week. KnowBe4 CEO Stu Sjouwerman says the files released do not appear to be malicious after brief analysis, and that "it does contain a large quantity of RSA keys and Bitcoin addresses." But he warned those interested to only open these files "at your own risk until further analyses are performed." Sjouwerman speculated that the malware creator may have been spooked by attention from law enforcement or Eastern European organized crime syndicates that are behind most ransomware campaigns.

Customer Service

[Anonymous Coward]

That's better service then a lot of companies I intentionally do business with.... What's the would come to?

Re:

[ArcadeMan]

When you get some *real* skills, then try getting a good job that pays well.

Simply having skills isn't enough anymore. There's not enough jobs and companies want to pay less for the same jobs every year.

Re:

[Opportunist]

Just so you know, the average malware jockey makes money that makes me wonder why I remain on this side of the fence. So much for "getting a good job that pays well".

Don't worry. He already has one.

Re:

[jakimfett]

Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

Still on this side of the fence. But I'm watching the other side carefully.

Re:

[tlhIngan]

Right there with ya. I'm a software developer and system administrator...It'd probably take me a month or so to read up on malware techniques and come up with a delivery mechanism and a way to do distributed CNC via RSA or PGP key.

Honestly, it's a social skill - it requires communicating the user, or at least knowing what users want.

If you know how to do SEO, the absolutely easiest way to infect someone is offering free downloads of some commercial app. Like Office, Photoshop, even Windows. Or the keygens t

Re:

[Opportunist]

Erh... detach yourself from the idea that malware is something some pimple faced 17-27 year old does in his mom's basement. Malware is a business. And of course with the relevant staff.

In other words, distribution is not your concern when you're a programmer. That's what marketing is for.

Re:

[Vitriol+Angst]

Don't the malware junkies make more money selling the patterns to the anti-malware firms on the side?

I mean, who buys Kaspersky if nobody gets paid to create the malware and Windows and Mac have "good enough" security?

Creating a market for malware is what keeps malware coming.

Re:

[Opportunist]

Don't worry. I've been in that business for a while. Trust me, there is no reason to create malware. Why bother? It's done for you. For free. Because they have a business model as well.

Quite seriously, even if you don't "trust" anti-malware companies to not create them themselves, simply follow the laws of the market: Why create a disease if it exists anyway? Why bother wasting money on something that is done for you without your intervention? It's like saying, I dunno, mobile home vendors are behind tornad

Re:

[Anonymous Coward]

Feel better now?

Do you really think someone who makes a living out of blackmailing the technically illiterate would be in any way chastened, or even bothered by your blustering?

Right? That's what I fucking thought.

Did you sit there very long, with the cursor blinking, waiting for a response?

Refund Bitcoin?

[ArcadeMan]

Strangely enough, you need someone very honest to "refund" anything via Bitcoin because he has to send the coins back himself, there's no "return/refund" mechanisms.

So, all we can say is that guy is a "really honest crook", as strange and contradictory as it seems.

Re:

[sexconker]

Wild, rampant, and baseless speculation.
He could have found Jesus and decided to not be mean to people.
He could have multiple personality disorder.
He could be a dog with a computer randomly pawing at the keys.

Re:

[Anonymous Coward]

Wild, rampant, and baseless speculation.
He could have found Jesus and decided to not be mean to people.
He could have multiple personality disorder.
He could be a dog with a computer randomly pawing at the keys.

HE COULD BE YOU!

SO WHY'D YOU DO IT, SEXCONKER? (if that is indeed your real name)

Re:

[sexconker]

It can't be me because I never would have designed it to be reversible. I would have just told people to pay up for the keys after overwriting their files with random data. It's like half the work.

Re:

[rhazz]

No kidding. Not to mention any additional contact you have with the victim adds to your own risk of getting caught. People who pay out on ransomware are basically doubling down on their loss for the very very slim chance they will get anything back. Take this story [www.cbc.ca], these idiots paid TWICE for the same ransom and still didn't their files back.

Re:

[Falos]

I'm not just pawing them at random! I can stay focused sometimes!

testing

[gabycampagna]

testing by slashdot engineer

Re:

[Picass0]

I think you mean tested by Sourceforge

Re:

[wardrich86]

Reply "INSTALL" to this comment to download complimentary 3rd party applications that you didn't even know you wanted on your computer!

Wow, 22.88? Seriously?

[neminem]

My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files). Anyway, they asked for 500 bucks (he paid it, sadly, not that I necessarily blame him). $22.88... doesn't seem like a lot of money. I'd pay that without even thinking, if I were hit with it. $500 bucks I'd have to think more about.

Re:

[Anonymous Coward]

If it's anything like the vast majority of ransomware investigations that pass by my desk, it's because he hasn't updated Flash in years and got hit by malvertising.

Re:

[bill_mcgonigle]

he hasn't updated Flash in years and got hit by malvertising.

You don't have to be that bad, even. My parents' PC had Flash 12 on it and Flash 9 on it. Where did Flash 9 come from? It was installed at the same time as the updater software for their GPS device.

The whole ecosystem is toxic and hateful towards the user.

Re:

[Anonymous Coward]

I'd pay that without even thinking

"A man asks a woman if she would be willing to sleep with him if he pays her an exorbitant sum. She replies affirmatively. He then names a paltry amount and asks if she would still be willing to sleep with him for the revised fee. The woman is greatly offended and replies as follows:
She: What kind of woman do you think I am?
He: We've already established that. Now we're just haggling over the price."

Do not give in to blackmail!

Re:

[nukenerd]

The man was George Bernard Shaw, playwright and society wit. The way he said it however was much more quickfire than you make it sound.

Re:

[Anonymous Coward]

My stepdad was hit by one of these a who months ago (incidentally, I can't believe he fell for it - he isn't sure how he got it, but he's a super-techie, it's surprising he both somehow installed such nasty nalware, and also didn't have any recent backups of important files).

Probably got it from visiting Sourceforge...

Re:

[moeinvt]

The malware authors need to create some sort of automated bartering program so that they can extract people's maximum willingness to pay. I'd definitely pay $22.88, but no way on $500.

was a wrench involved?

[Anonymous Coward]

Was a wrench [xkcd.com] involved in getting him to release them?

Re:

[wonkey_monkey]

Without even checking the link I know it's a mandatory XKCD.

The [xkcd.com] after the link is a bit of a giveaway.

Dis is one half

[xebecv]

Press any key to continue ...

Re:

[Cafe Alpha]

None of my keys say "any" on them :(

The keys are legit.

[Anonymous Coward]

My machine was hit by this ransomware and I got lucky enough to be doing something when it happened so I had the process suspended two minutes into the attack. Only about 30 of my actually useful files were hit with most of it just being a bunch of old unneeded data.

So when he released the keys and the rules to unencrypt them I found my key in the list, based on the data saved on the machine for exactly that purpose in case I purchased. This was both the bitcoin address I should have paid through and an X