At last, hope for victims of the CryptoLocker ransom Trojan who believed they would never see their scrambled files again: security firms FireEye and Fox-IT have set up a free website that can be used to retrieve encryption keys for individual files.
It’s the latest and wholly unexpected development in the story of the CryptoLocker malware but perhaps not surprising given that the program’s command and control was broken by the authorities some months ago.
The process of decrypting an encrypted file is as simple as uploading the file and receiving the key which must then be used to unlock the file using a utility run from the user’s PC.
This implies that the firms have discovered the cache of hashes collected by the criminals, each one of which is unique and relates to a specific victim’s files. Given CryptoLocker’s success this database must be vast.
Files have to be decrypted one at a time because of the dastardly form of encryption used by CryptoLocker (indeed all true encryption malware) in which the criminals use their own asymmetric RSA public key to generate a symmetric AES key with which to encrypt each file on a victim’s system. This means that every individual file effectively is scrambled using a unique key.
A limitation is that the firms have requested that users do not submit files containing sensitive data because the process of submitting files is public and security cannot be assured.
“We are excited to work with Fox-IT to offer a free resource that can help thousands of businesses affected by the spread of CryptoLocker over the last few months," said FireEye’s director of threat intelligence, Darien Kindlund.
After attacking PCs across the world from September 2013, CryptoLocker was finally smashed in May during Operation Tovar, which attacked the Gameover Zeus platform used to distribute it.
Cynics might point out that it took months to break the malware’s command and control but the takedown did at least demonstrate how a large number of security firms could cooperate in conjunction with the authorities to fight back against criminals who previously operated with impunity.
After the disruption, CryptoLocker more or less collapsed. The authorities went on to name the individual they believe was behind Gameover Zeus, Evgeniy Bogachev, also alleged to be connected to CryptoLocker. He remains at large.