Dutch security firm Fox-It has received 546 requests to decrypt files from UK-based victims of the CryptoLocker ransom Trojan since it launched a free unlock service last month, the highest proportion from any country.
In early August Fox-It along with US security firm FireEye set up the DecryptoLocker website in early August, since when they have received 1,933 decryption requests from victims in the US, 546 form the US, 159 from Canada, 96 from Australia, 93 from India, and 53 from France.
Fourteen other countries accounted for a further 161 requests, including nine from Russia, believed to be the homeland of CryptoLocker’s creators.
The total of around 2,900 sounds surprisingly modest given that CryptoLocker probably infected at least 625,000 computers between September 2013 and its dissolution during Operation Tovar in late May 2014.
It could be that many victims have moved on, writing off their files for good or reinstating them from backups. A small percentage will have paid the ransom or simply not heard of the decryption service.
What it does suggest is that the UK was a hotspot for CryptoLocker, as Fox-It acknowledges.
“An interesting fact is that in the UK, relatively more victims have requested their keys than in the US – more than in all other large countries to be precise. Only some very small countries with a handful of infections showed greater ratios, which can be attributed to too low statistical sample sizes,” said Fox-IT’s Joost Bijl.
Almost a quarter of the decryption requests had been for PDF files, a fraction above the number wanting to get back Office .doc files. Excel .xls files accounted for 15 percent, with docx on 13 percent and .jpg on 9.5 percent. This hints that the majority of the victims seeking keys have probably been business users.
The DecryptoLocker site remains up and running for anyone still wanting to retrieve individual files or for a whole system using a supplied utility.
The bad news is that there is still no equivalent for CryptoLocker’s successors such as CryptoWall.
“The most asked question was from victims of other ransomware: will we be able to provide a solution for CryptoWall, Synolocker, CryptoLocker V2 or others? Unfortunately we don’t offer decryption keys for these ransomwares. It is unlikely we will provide something for that anytime soon. “
It is possible that this could change. The best advice to anyone who becomes infected is not to pay the ransom – no key will be sent anyway – and to hang on to the encrypted files in the meantime.
UK authorities still have no idea about the number of UK-based victims of CryptoLocker, or any of the other ransom Trojans for that matter. Earlier this year, researchers at the University of Kent put the probable number in the tens of thousands after analysing a questionaire.