Ransomware creator apologizes for 'sleeper' attack, releases decryption keys

Criminal with a soft spot relents on successful Locker ransomware campaign and offers free decryption for victims. Refunds don't appear to be coming, however.

Last week, a new strain of ransomware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a "sleeper" campaign that, when the malware's creator "woke it up," encrypted the infected devices' files and charged roughly $24 in exchange for the decryption keys.

See also: 'Sleeper' ransomware laid dormant on infected PCs until this week

This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker's creator released this message in a PasteBin post:

"I am the author of the Locker ransomware and I'm very sorry about that [sic] has happened. It was never my intention to release this. I uploaded the database to mega.co.nz containing 'bitcoin address, public key, private key' as CSV. This is a dump of the complete database and most of the keys weren't even used. All distribution of new keys has been stopped."

The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd. However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and $24 around the time Locker was activated) required for the decryption keys since last week.

See also: Ransomware: Pay it or fight it?

Sjouwerman says the data released does not appear to be malicious after brief analysis, and that "it does contain a large quantity of RSA keys and Bitcoin addresses." And he warned for those interested to only open these files "at your own risk until further analyses are performed." Those infected, though, could potentially find decryption keys for their devices in files hosted at this Mega.co page. It might be safer, however, to wait and see if the automated decryption process actually occurs tomorrow.

Last week, KnowBe4 said hundreds of PC users worldwide had reported falling victim to Locker within the first few days of its activation. Sjouwerman says the design of the sleeper-style campaign suggests "months-long, careful planning," and doubts the claims that it was released as a mistake.

Speculating as to why the malware's creator would suddenly put an end what could have been a successful scam, Sjouwerman suggests he or she may have become concerned about attracting unwanted attention from either law enforcement or organized crime. Many ransomware campaigns have origins in organized criminal outfits, often in Eastern Europe, Sjouwerman says.

"What we can assume is that he is a talented coder but not an experienced cybercriminal, because a foul-up like this would never have happened with professional Eastern European organized cybercrime," Sjouwerman says. "He may have worked as a developer for one of these gangs and decided to start his own outfit, which backfired."

Ransomware has been massively successful over the past few years, with even law enforcement agencies finding that they have to pay the ransom when their files are encrypted. Previous successful strains of ransomware have been foiled in the past – just over a year ago, security researchers found the database containing decryption keys for those infected by the infamous CryptoLocker, and created an online tool that distributed them.

However, this may be the first time a ransomware campaign was put to an end on account of the attacker's remorse.


Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022