Skip to main content

New ransomware easier to decrypt than CryptoLocker

CryptoLocker has a sibling in the ransomware stakes after a copycat program appeared that demands money in a similar way but is easier to halt than the original version.

Researchers at security startup IntelCrawler found the ransomware called Locker and report that it encrypts files in the same way before requesting the victim pays $150 [£92] to restore the files.

IntelCrawler reports Locker began “large-scale distribution” on 5 December and it has already infected computers across Europe, Russia and the US. The malware is spread using infected files placed on compromised sites as well as files that are disguised as MP3s.

Once Locker infects a PC it makes a copy of the victim’s documents before encrypting the files, adds a “.perfect” extension and follows this by deleting the original data. Attackers then place a “CONTACT.TXT” file in each directory that shows the contact information for victims that want to purchase the decryption key.

IntelCrawler reports that if victims are tempted to harass or threaten the perpetrators the decryption key will be deleted and as such the files will be lost forever.

Victims looking to pay the ransom can hand over the $150 [£92] to a Perfect Money or QIWI VISA Virtual Card number and in exchange they will receive the decryption key that is needed to recover the files.

There could be light at the end of the tunnel for victims that choose to stick it out and refuse to pay the ransom though as IntelCrawler has already managed to penetrate the network being used and was able to extract the universal keys used to scramble target files.

"Our researchers are working on the universal decryption software in order to help the victims,” said IntelCrawler analyst Andrey Komarov.

The original CryptoLocker ransomware has been affecting computers since earlier on this year and was at its height last month when it claimed over 10,000 victims in just one week and charges a $300 [£185] ransom to unlock files.