back to article Gee THANKS: Cryptoscum offer a free decrypt in latest ransomware racket

Dougevault image Ransomware thieves are taking a leaf from the greasy salesperson's handbook and offering customers victims a free decryption of a file of their choosing, malware researcher Tyler Moffitt says. Scammers would foist the CoinVault ransomware on victims through a variety of attack vectors and encrypt their …

  1. Anonymous Coward
    Anonymous Coward

    Of course

    The irony would be if this actually allows researchers to figure out how the encryption code works.

    I did have a thought a while back that using something like the mesh method could be a workaround, ie run the encrypted and unencrypted files through an optical filter and look for bit collisions.

    If the code is actually not as complex as they say then this approach might find the hidden code within the file itself in the form of xor'ed bits distributed throughout it.

    If anyone wants to help out with this I am on Hackaday a lot, as well as other forums.

    Also had some thoughts about a cluster based machine using 4096 RPi's as a code breaker but obviously a little out of my price range.

    1. Cliff

      Re: Of course

      How the encryption works isn't the hardest part of decrypting anything, it's the guessing of the key. 3DEC, RSA, etc you can see the cogs, how the machine works, but how it's initialised turns meaning into gibberish.

      If the baddies have any idea what they are doing (and they have the money to pay good people), they will use RSA, 3DEC or other proven standard over hand-rolled cryptography which is weak by comparison. For instance ROT-13 appears marginally secure (it was secure enough for Adobe for a while), so would reencrypting a ROT-13 make it more secure? 2ROT-13 is back to cleartext! This is why you don't roll your own encryption!

    2. hapticz

      Re: Of course

      persons already victimized and paid the price would have the decrypto program intact as it would be used during 'reclaiming' their files. a site devoted to victims could have them submit the program/drive for professional dissection. the crypto method itself is not the weak point, if you have no decrypt key, there is no resolution to the encrypted files, irregardless of the algorythm.

      what has me confounded, is how an entire drive is surreptitiously encrypted without the user being aware of any changes or misfunctions. drop/mess a few bytes in most DLL, EXE or data files and windows, linux or other OS will blow up. does this mean that the malware allows the files to be 'on the fly' decrypted for use, up to the point where the payment demand is posted?? that would mean the decrypt 'key' is intact somewhere, before the demand, allowing normal file use. it seems like a root type with some clever Stuxnet approach.

      1. Toastan Buttar

        Re: Irregardless

        Don't. Just don't.

        It's "Regardless" or "Irrespective". Never the bastard child of the two.

  2. Anonymous Coward
    Windows

    As much as do not want

    Cameron and his "techno(ill)logical" cronies dictating what i can and cant see on the net, surely there has to be a way of nailing these bastards at source. If we (and our across the pond cousins) can pool millions of £$ to extradite one alleged hacker, then we can pump resources into this, no?

    Whilst personally i am unlikely to fall foul of this scam, there are a lot of people who, sadly, will...

    As previous victims of the numerous variants of this scam can attribute..

    1. Anonymous Coward
      Anonymous Coward

      Re: As much as do not want

      "If we (and our across the pond cousins) can pool millions of £$ to extradite one alleged hacker, then we can pump resources into this, no?"

      Wouldn't work. The people behind this are clever and obfuscate their tracks well. Even where found, chances are they are in a non-democratic state where they may be actively shielded by the national government, protected by a powerful local crime lord with his small army, or simply in a state with little functioning government.

      You get to extradite foreign citizens only from law abiding countries with functioning and vaguely democratic government. That excludes half the world. If these people are in Russia, will Putin hand them over? It Chinese, would the party send them on a one way flight to the US? In Mexico, Ukraine, Kazakstan or where have you, the government simply doesn't function other than as a crime monopoly itself.

      You also suggest that a few extraditions and prosecutions will discourage others. Simple fraud has been illegal in any functioning state for centuries, is often accompanied by long prison sentences (particularly in the US), but that's been no deterrent. And if you're based in some central Asian ***t hole country, would any of these be a deterrent, when your choices are picking local pockets for a handful of shekels, or making hundreds of thousands of dollars through cybercrime?

      The best and perhaps only solution is back up by users and non-payment of ransom demands. The crime only exists because there's money in it, and regardless of enforcement and punishment, if the money's still waiting to be grabbed, new crims will sprout like fungus as soon as the last lot were scraped away.

      1. Anonymous Coward
        Anonymous Coward

        Re: As much as do not want

        "You also suggest that a few extraditions and prosecutions will discourage others. "

        I must ask, exactly where do I state this???

  3. Andy The Hat Silver badge

    Dycrypt one, get one file free ... DOGOFF?

  4. Anonymous Coward
    Anonymous Coward

    I just can't raise any sympathy for people who don't back up. Has the last 3 decades of personal computing taught people NOTHING?

    1. Velv Silver badge

      Yes, yes, everyone should backup, and we have no sympathy for those that don't.

      But seriously! Most people I know don't have the skills or technology to recover their data. The machine will need wiped and reinstalled. Maybe they made those recovery disks that never actually work, or maybe they need a pristine ISO. Chances are they'll need to take it to somebody who'll charge to rebuild.

      Just to recover the data they'll probably need a second machine, but still will need help with the recovery.

      if the governments can't act against the criminals, perhaps it's time to let Bryan Mills loose...

    2. Anonymous Coward
      Anonymous Coward

      "Has the last 3 decades of personal computing taught people NOTHING?"

      More like at least 5 decades of the computing industry. A friend who worked in the IT industry for 40 years has just proved me yet again a Cassandra. In her professional life she was punctilious about data security.

      After looking after her family's IT needs for about 20 years - she decided that the last two laptop purchases were now commodity buys that needn't involve me. This week one was presented to me with glum shame to sort out a BSOD. In spite of my repeated warnings about making initial system images - there are no backups. Turns out the twenty-something child had ignored all the AV expiry warnings. The Microsoft Office 2013 will probably have to be purchased again if a total re-install is needed.

    3. John Tserkezis

      "I just can't raise any sympathy for people who don't back up. Has the last 3 decades of personal computing taught people NOTHING?"

      Nope. Not a damn thing.

      After badgering friends and family on the issue for the past few years, they're finally backing up onto USB drives. Not ideal, but better than nothing.

      Corporates are easier to convince - but only after their first major crash where they lose everything. That's when they buy backup systems and media.

      1. Gene Cash Silver badge

        There are people that do backups, and there are people that have yet to lose valuable irretrievable data.

    4. Anonymous Coward
      Anonymous Coward

      Great idea but you leave your USB backup drive connected to your PC or your NAS and all your lovely backups are now encrypted as well.

      Removable media isn't cheap and easy for a home user. It's not like the old days when a zip disk could be used in a simple daily rotation to give you a few months of backups. To mitigate this you would either need to plug and un-plug your external drive every time you run a backup (therefore not automated). Or run a script to enable the drive before a backup and disable it afterwards (still not consumer friendly). The software could get wise to this and lay dormant for a week checking out when you connect your external drive and activating as soon as you do.

      The other option is the cloud - however this could also be susceptible to this ransomware as it could take your file and delete them, unless your cloud provider automatically backs up on your behalf and allows you to recover.

      The best hope for home users, is always running the windows/java/flash etc updates immediately, keeping a decent AV up to date, never clicking on spam e-mails or ones that state "You must watch this video!!!", and not overriding the UAC administrator prompt unless they are sure it is a legitimate request.

      However this is also a fair old expectation for the average home user.

  5. Andrew Penfold
    Coat

    Free Decrypt button must download the key

    Surely if you can press the button for "one free decrypt", the malware must then contact it's server to download the decryption key for your files? A bit of wiresharking later and you have the key.

    Unless they've used a random key for EACH file, not just each infected machine. Or they use encrypted comms.

    Oh. Nevermind!

    1. Alistair Silver badge

      Re: Free Decrypt button must download the key

      Something along these lines -- at *some* point the key is in memory somewhere. either fully encrypted or unecrypted.

      At the very least you have the three points to do vectoring math. Not that I know much about it but if you have

      Encrypted copy

      Decrypted copy

      (something that looks like the key)

      (suggestion as to what encryption)

      You have sufficient to pull the entire process apart and find (possible) flaws that can be leveraged to avoid having to use a provided key --

      1. ACZ

        Re: Free Decrypt button must download the key

        Exactly - if the single file is decrypted locally then the key must be in memory in one form or another. Presumably the key is stored on a remote server which will only allow a single use of the free decrypt button (so no taking an image of the machine and then using the "free decrypt button" on different files on different copies of the image).

        Since the key is the critical asset here, it might be that using the "free decrypt button" results in the chosen encrypted file being sent to the remote server, decrypted, and returned to the affected machine. That way, the key is not made accessible in any form, and the remote machine can control/restrict access to the "free decrypt button" functionality.

        Spent an hour last night doing remote support on a parent's PC, and the amount of cr*p which had been installed since I last looked at it was scary. Odds of this (or something like it) appearing on a family member's machine at some point is, unfortunately, scarily high and there's little or no chance of them starting to do backups to removable media.

        Ho hum :(

        1. Stuart 22

          Re: Free Decrypt button must download the key

          "Odds of this (or something like it) appearing on a family member's machine at some point is, unfortunately, scarily high and there's little or no chance of them starting to do backups to removable media."

          Depending on how much you love 'em or how naggy they will be when the inevitable happens - it might be worth secreting rsync (or its local OS equivelent) on their machine to keep an updated copy of "My Documents" or wherever they dump their family photos on a system you trust. They'll never notice. Then you can grandfather it yourself.

          One day you will be greeted more enthusiastically than Father Christmas!

        2. joed

          Re: Free Decrypt button must download the key

          it's unlikely that the file is sent for decryption - too much data, too easy to "triangulate" the server. Now, intercepting the key may not be easy (unless they made a mistake) but if you think about it the risk to scammers is minimal (what do they lose is someone actually gets the key, percentage of paying "customers" is minimal anyway).

  6. phil dude
    Linux

    COW...

    Copy-on-write coming to the desktop!

    I am about to start playing with BTRFS which is standard in opensuse 13.2.

    COW makes the cryptolocker much less likely to damage, no?

    P.

    1. joed

      Re: COW...

      from experience on windows - cryptosomething wipes shadow copies once done withe encryption - I'd guess that COW won't help much (but obscurity of the system you use surely will).

  7. Adam Inistrator

    Or the free one wasnt encrypted in the same way

    With a local embedded and discoverable key. Or can you pick which one you want free?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019