Microsoft Subnet An independent Microsoft community View more

CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service

Victims of the CryptoLocker ransomware are being gouged with extortion again, this time as a second-chance decryption service offer that costs five times the original ransom.

If you don't win an online auction, sometimes you receive a "second chance offer" that costs whatever your highest bid was for an item. Extortion doesn't work that way as seen by the newest second chance scheme launched by the cybercrooks behind CryptoLocker; the decryption service costs five-times as much as it would have to free your files from the ransomware in the first place.

More CryptoLocker extortion, Decryption Service second chance offer at five times the original ransom

Bitdefender Labs offer a CryptoLocker-blocking tool (exe), but otherwise people with infected systems are given three days to pay up; it costs two Bitcoins for their encrypted files to be decrypted. Across the board, security experts say don't pay.

Some victims who were unlucky enough to be zapped by CryptoLocker have been able to recover some files using the Volume Shadow Copy Service in Windows. "However, even users who have backups might realize that they're not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware."

Enter the new second chance CryptoLocker Decryption Service. Bleeping Computer warned that the penalty is steep and the cost for CryptoLocker decryption service "significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD." At the time of writing, the "simple Bitcoin converter" quoted 10 Bitcoins as being equal to $2,261.

For those users who are affected by CryptoLocker and did not have a backup, trying to pay the ransom has been a difficult process. This is because antivirus programs remove the infection or the registry key that is required to pay the ransom and decrypt the files. It appears that the malware developers were listening, as they have now implemented a decryption service that is designed to look like a customer support site. This service is available by connecting directly to a Command & Control server's IP address or hostname or through Tor via the f2d2v7soksbskekh.onion/ address.

CryptoLocker Decryption Service

In case you can't read that, the CryptoLocker Decryption Service notice states:

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.

Select any encrypted file and click "Upload" button. The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours.

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.

OR if you already know your order number, you may enter it into the form below.

As of today, Nov. 4, Bleeping Computer reports, "The decryption service now still allows you to pay 2 bitcoins during your normal 3 day timer period. After that period, the price increases to 10 bitcoins."

Kaspersky Lab expert Costin Raiu previously explained that researchers sink-holed three domains that were C&C servers for the malware, but so far no one has cracked the CryptoLocker encryption to fully recover all files. However, as Sophos pointed out, "the crooks' original claim was bogus all along."

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

For more about CryptoLocker, consider reading: How to avoid getting infected and what to do if you are.

Meanwhile, other security professionals have diverted their attention elsewhere, debating the reality and capabilities of the scary BIOS-level malware badBIOS.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies