New Site Recovers Files Locked by Cryptolocker Ransomware (opens in new tab)

(krebsonsecurity.com)

278 pointsAlbuca11y ago41 comments

41 comments

> The free decryption service was made possible because Fox-IT was somehow able to recover the private keys...

Part of me is so hoping that they extracted those keys from the crooks using rubber-hose cryptanalysis. There are many types of Internet scams, some more evil than others, but this is one of the nastiest I ever heard of.

praseodym11y ago

They got a database copy:

BBC article: http://www.bbc.com/news/technology-28661463

Fox-IT CEO: https://twitter.com/cryptoron/status/496945787700805632

seanp2k211y ago

Start another fund to bring back the head of everyone who released / maintains this. Who would you rather pay; crooks or vigilantes?

nospecinterests11y ago

I know they are doing this as a community service... because, I assume they feel it is their honor and duty to do so... but why the hell do these guys NOT have at least a donate link/button on their site!!!!! This is crazy. I know they are going to get awesome press which would have normally cost thousands but it never hurts to throw up a link and see how much your appreciated.

mhurron11y ago

> I assume they feel it is their honor and duty to do so

Free advertising.

Why should a commercial entity have a donate button? Why would I donate to a business?

traevesty11y ago

You'd donate to a business for the same reason you'd donate to an individual: to give resources to a cause that you support and to incentivize a direction of work.

You might be surprised to learn that the business world already has tons of donation buttons and trust networks. For accounting reasons they're often called contracts.

2 more replies

dan123411y ago

Does anyone have any conversion stats for those donate buttons?

I don't think many people actually use them, especially if the traffic is mainly curious readers sent there by mainstream press.

bitJericho11y ago

I've had sites with a fair amount of traffic, never received a donation, not ever, not even once. Much more effective to sell a sticker than to place a donate button. A friend of mine recently avoided my advice and replaced his twitter feed with a donate button, he said it was a horribly stupid mistake.

aptwebapps11y ago

Well, if word gets out they might get a decent amount of traffic from individuals who are considerably more vested than curious readers.

stronglikedan11y ago

Maybe the legal/tax implications of a for-profit entity accepting donations outweigh the benefits? I really don't know; I'm just brainstorming possibilities.

aresant11y ago

Key from one of the comments "It’s not too late if you still have the encrypted files, as I suspect many people do, hoping that someday a program like this would come along."

That is awesome. I'm sure a large percentage of people with irreplaceable files hung onto them, hope these guys get the exposure they deserve for the site.

#1 on HN is a good start.

Eiriksmal11y ago

+1. One lady in my office (running 1/4 Windows PCs) opened something from "Intuit" concerning a bill and got most of her documents locked down... and some of the shared files on the company's main NFS drive before I unplugged the box's ethernet cord. Oops.

She kept her files hanging around, just in case someone broke the encryption later on. A smart move from someone foolish enough to open a ".pdf.exe" file from an email reeking of fraud.

mp4box11y ago

Relevant http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt...

Scoundreller11y ago

But it sounds like in the Cryptolocker case that the encryption was pretty good, they just (thankfully) weren't erasing the decrypt keys as promised.

The goodness of the decryptCryptolocker crew will probably make me laugh whenever I hear some other not-half-as-good organization claim "we're the good guys".

userbinator11y ago

This is interesting because it's one of those cases where insecurity can turn out to be a good thing - had those cybercriminals been more careful with their systems and made them more secure, this may have never been possible; but then again, the malware might not have been able to do this in the first place if the users' systems were more secure. How that could be accomplished is also worth considering - there is a school of thought that suggests taking control away from the users and disallowing them from doing anything that some entity (corporate or government) does not approve of on the assumption that users will always make mistakes (e.g. Trusted Computing), but this also means loss of freedom - as the saying goes, "freedom is not worth having if it does not include the freedom to make mistakes."

However, if on the other hand we allow the users freedom, and thus assume that mistakes (such as being infected with malware like this) will happen, then it makes sense that a means of recovery should be available, which is not something that "perfect" security allows. To use an analogy, people who have lost their keys or had them stolen should still be able to gain access to their house. In the physical world, perfect security is nearly impossible, but with digital data, it's not. Locking an item in a safe means it can still be retrieved if the key is lost by, in the worst possible circumstance, cutting open the safe, no matter how physically strong it is. Encrypting data with a long-enough key and sufficiently strong algorithm means it's truly practically destroyed without the key. I think this point - that encryption can be really, really, really unrecoverably strong - needs to be made more aware as we continue to use more of it.

It would be particularly ironic if this recovery was made possible through exploiting the malware servers with something like Heartbleed...

kijin11y ago

> it's one of those cases where insecurity can turn out to be a good thing

Well, it's usually a good thing when the bad guys make a mistake, isn't it? "Oh, I wanted to blow up this building, but I set my timer to the wrong time zone." Oops, now the police has an extra hour to evacuate the building and dismantle your bomb.

What matters is: Good for whom? Obviously, insecure tools are not good for the person who relies on it for mission-critical tasks. But what is good for that particular person and that particular task might not be good for other people and other tasks.

Since "good" is relative, "perfect security" is also relative. Perfect security for whom? And what do we mean by "security", anyway? Let's say we think of security as the ability of a system to resist interference from anybody other than its legitimate user(s). But then the question becomes, who are the legitimate users?

If Apple is the sole legitimate user of a device, it makes sense for that device to resist your attempts to interfere with its Apple-approved functions. That's perfect security for Apple, perfect security for Steve Jobs's posthumous ego.

If you are the sole legitimate user, on the other hand, the device should resist Apple's attempts to tell you what you can or can't do with it. That's perfect security for you, but it comes at the expense of perfect security from the point of view of Apple designers.

As for CryptoLocker, the whole purpose of that program is grossly immoral, so does it even have a legitimate user?

Unfortunately, it is becoming increasingly clear that perfect security for one party does not always align with perfect security for some other party.

derefr11y ago

You're listing the clear, black-and-white cases.

The interesting case is: if I am the sole legitimate user of the device, should my device resist my attempts to run cat_pictures_infected_with_cryptolocker.jpg.exe?

1 more reply

RAB113811y ago

Relevant: Neil Stephenson's Reamde takes the principle of Ransomware and plays it out to a fun conclusion. This site would have come in handy. Highly recommended http://www.audible.com/pd/Sci-Fi-Fantasy/Reamde-Audiobook/B0...

gordon_freeman11y ago

I just hope as many people as possible who were affected by this lockdown and who have not paid ransom yet would know about this. As per the Krebs' article only 1.3% paid ransom so it's not too late.

timsayshey11y ago

Has anyone here looked at the software? It requires you to manually run a command from the command prompt for every file. Decryptolocker.exe --key "<key>" <Lockedfile>

If I have thousands of files, that will take forever, anyway to batch decrypt?

traevesty11y ago

Yes, loop over the files.

http://stackoverflow.com/questions/138497/iterate-all-files-...

0x011y ago

The faq mentions an "-r" parameter :)

timsayshey11y ago

Perfect, I have the recursive part working, but I can't get the key pasted in the command prompt.

Decryptolocker.exe --key "<key>" <Lockedfile>

Everytime I paste the key in, the command prompt executes each line. Any ideas how to preserve the line breaks?

1 more reply

jonnyp54311y ago

i keep getting that decryptoblocker.exe is no an internal or external command, operable program or batch file. What gives? What am i doing wrong?

xxxmadraxxx11y ago

Of course, the conspiracy theorist might say that it's a bit too convenient to suppose the hitherto extremely clever criminals helpfully and stupidly copied their private keys across to computers controlled by 'the feds'. A bit like those supposedly 'random' police stopping of vehicles which turn out to be full of drugs or explosives.

Maybe public/private key pairs aren't as secure as we've been lead to believe.

sillysaurus311y ago

RSA-2048 is fundamentally broken, only they know about the flaw, and rather than exploit that advantage in any of the innumerable ways it could be advantageous, they decided to make a web service?

MasterScrat11y ago

Or maybe they got their hands on the keys some other way they're not willing to disclose.

enneff11y ago

It is likely that they were able to compromise the bad guys' systems and steal the private keys, which in itself is against the law.

1 more reply

a2tech11y ago

Or maybe FoxIT was behind cryptolocker all along and once the ransom money stopped pouring in they released their database to look like good guys..tinfoil hat

runeks11y ago

That would be interesting. Especially the discussion of whether this is morally acceptable (ie. doing illegal things to obtain the private keys from the malware designers).

j / k navigate · click thread line to collapse

41 comments

TeMPOraL11y ago

> The free decryption service was made possible because Fox-IT was somehow able to recover the private keys...

praseodym11y ago

They got a database copy:

BBC article: http://www.bbc.com/news/technology-28661463

Fox-IT CEO: https://twitter.com/cryptoron/status/496945787700805632

seanp2k211y ago

Start another fund to bring back the head of everyone who released / maintains this. Who would you rather pay; crooks or vigilantes?

nospecinterests11y ago

mhurron11y ago

> I assume they feel it is their honor and duty to do so

Free advertising.

Why should a commercial entity have a donate button? Why would I donate to a business?

traevesty11y ago

You'd donate to a business for the same reason you'd donate to an individual: to give resources to a cause that you support and to incentivize a direction of work.

You might be surprised to learn that the business world already has tons of donation buttons and trust networks. For accounting reasons they're often called contracts.

2 more replies

dan123411y ago

Does anyone have any conversion stats for those donate buttons?

I don't think many people actually use them, especially if the traffic is mainly curious readers sent there by mainstream press.

bitJericho11y ago

aptwebapps11y ago

Well, if word gets out they might get a decent amount of traffic from individuals who are considerably more vested than curious readers.

stronglikedan11y ago

Maybe the legal/tax implications of a for-profit entity accepting donations outweigh the benefits? I really don't know; I'm just brainstorming possibilities.

aresant11y ago

Key from one of the comments "It’s not too late if you still have the encrypted files, as I suspect many people do, hoping that someday a program like this would come along."

That is awesome. I'm sure a large percentage of people with irreplaceable files hung onto them, hope these guys get the exposure they deserve for the site.

#1 on HN is a good start.

Eiriksmal11y ago

She kept her files hanging around, just in case someone broke the encryption later on. A smart move from someone foolish enough to open a ".pdf.exe" file from an email reeking of fraud.

mp4box11y ago

Relevant http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt...

Scoundreller11y ago

But it sounds like in the Cryptolocker case that the encryption was pretty good, they just (thankfully) weren't erasing the decrypt keys as promised.

The goodness of the decryptCryptolocker crew will probably make me laugh whenever I hear some other not-half-as-good organization claim "we're the good guys".

userbinator11y ago

It would be particularly ironic if this recovery was made possible through exploiting the malware servers with something like Heartbleed...

kijin11y ago

> it's one of those cases where insecurity can turn out to be a good thing

As for CryptoLocker, the whole purpose of that program is grossly immoral, so does it even have a legitimate user?

Unfortunately, it is becoming increasingly clear that perfect security for one party does not always align with perfect security for some other party.

derefr11y ago

You're listing the clear, black-and-white cases.

The interesting case is: if I am the sole legitimate user of the device, should my device resist my attempts to run cat_pictures_infected_with_cryptolocker.jpg.exe?

1 more reply

RAB113811y ago

gordon_freeman11y ago

I just hope as many people as possible who were affected by this lockdown and who have not paid ransom yet would know about this. As per the Krebs' article only 1.3% paid ransom so it's not too late.

timsayshey11y ago

Has anyone here looked at the software? It requires you to manually run a command from the command prompt for every file. Decryptolocker.exe --key "<key>" <Lockedfile>

If I have thousands of files, that will take forever, anyway to batch decrypt?

traevesty11y ago

Yes, loop over the files.

http://stackoverflow.com/questions/138497/iterate-all-files-...

0x011y ago

The faq mentions an "-r" parameter :)

timsayshey11y ago

Perfect, I have the recursive part working, but I can't get the key pasted in the command prompt.

Decryptolocker.exe --key "<key>" <Lockedfile>

Everytime I paste the key in, the command prompt executes each line. Any ideas how to preserve the line breaks?

1 more reply

jonnyp54311y ago

i keep getting that decryptoblocker.exe is no an internal or external command, operable program or batch file. What gives? What am i doing wrong?

xxxmadraxxx11y ago

Maybe public/private key pairs aren't as secure as we've been lead to believe.

sillysaurus311y ago

RSA-2048 is fundamentally broken, only they know about the flaw, and rather than exploit that advantage in any of the innumerable ways it could be advantageous, they decided to make a web service?

MasterScrat11y ago

Or maybe they got their hands on the keys some other way they're not willing to disclose.

enneff11y ago

It is likely that they were able to compromise the bad guys' systems and steal the private keys, which in itself is against the law.

1 more reply

a2tech11y ago

Or maybe FoxIT was behind cryptolocker all along and once the ransom money stopped pouring in they released their database to look like good guys..tinfoil hat

runeks11y ago

That would be interesting. Especially the discussion of whether this is morally acceptable (ie. doing illegal things to obtain the private keys from the malware designers).

j / k navigate · click thread line to collapse