Endpoint Protection

 View Only

Crypto remorse? Author of new Locker crypto ransomware repents after earning just US$169 

Jun 02, 2015 09:25 AM


Last week, Symantec became aware of online reports of new crypto ransomware known as ‘Locker’ (Trojan.Cryptolocker.V), which supposedly laid dormant on infected computers until May 25 at midnight, local time. Once activated, the crypto ransomware proceeded to encrypt files on the compromised computer and hold them to ransom. Symantec and Norton customers are unlikely to have been affected by this new threat, as detections were already in place for the samples reportedly used in this attack. 

In a bizarre twist, the alleged author of the malware, going by the name of ‘Poka Brightminds,’ posted an apology on Pastebin on May 30 for unleashing the threat. According to the statement, the malware author never meant to release the Locker malware and in a gesture of repentance, provided access to a database containing the decryption keys along with a declaration that the automatic decryption of files would start on the June 2 at midnight, local time. Now, according to reports on Bleepingcomputer.com, some infected computers’ files are being automatically decrypted, just as the author had promised. 

Figure. Locker’s decryption screen message (Source: Bleepingcomputer.com)

The database provided by the malware author also contained 62,703 entries related to Bitcoin addresses. Each Bitcoin address was linked to a decryption key and was supposed to be used for the payment of the ransom. Several Bitcoin addresses that were known to have been used in Locker’s ransom demands were confirmed to be in the provided database. After checking the publicly available transactions for each Bitcoin address in the database, we were able to determine that the malware author made US$169 through 22 ransom payments.

Date & time Bitcoin address Bitcoins received Value in US dollars at time of transaction
May 24 at 16:33 136ietp4Z8th1PMeyvq4bBNPdLJuiRGyEx 0.0001 0.02
May 24 at 23:51 145KB6NbHwsgMTHKXtYQ6LatUjtrb6ziSh 0.0001 0.02
May 25 at 00:45 14R657hxC6T9dWPmQYwhUscUkoP2DgJLW6 0.0001 0.02
May 25 at 05:17 188vyQAZGnSGXGitrC2N5SQRGMUVhBEBED 0.101 24.14
May 25 at 07:37 17DSS8NYa8jEzgwcRC2vSrXEzPiTEgwhR 0.004148 0.99
May 25 at 09:22 15Bx4djdgjZRKJxceat99KjKgM9YsL4Yxw 0.1001 23.83
May 25 at 10:50 17ARFpkuKVTLbE9GikXE7dWdRNSerUUFwm 0.0001 0.02
May 25 at 13:36 16C3yh1vwiaYgm2kS2PwC6aC1jNx5EUW9W 0.0001 0.02
May 25 at 16:05 13AKkB1QdSs6Mz8WLCeQMQZKSZhw5gyV5p 0.1 23.70
May 25 at 17:36 135ESkJP36nMqcmyTFAya7aC8Y4b94CZN7 0.004316 1.02
May 25 at 19:26 121orLQW2LanEtso2htwZSfZ3vV4toLKt6 0.0001 0.02
May 25 at 19:43 19Lf39qLd8PqXaMrQ1cDCqKcupZwiCTM7C 0.0001 0.02
May 26 at 00:33 14PdyRVTazcZ4E7h8PmoYawgWJ5KPYa5Vr 0.0001 0.02
May 26 at 19:21 18guf2dFpRBSVBA2F8NWu25mS4L871CFk 0.1 23.59
May 26 at 20:34 13ZTXQBkPEYooQS2QoBHMZPrh569gBaFTZ 0.09999583 23.63
May 27 at 03:04 19nHSit7MwtRKYHXjWKN1rcJNaNEfJgb1k 0.0001 0.02
May 27 at 10:23 12nmvA5f3vQuZnHuumKfE8Y3fXMWV9LVmn 0.0007 0.17
May 28 at 00:49 187Ye5J9BAr9c84qnSEqqWZWshtxvByPyV 0.004215 0.99
May 28 at 13:56 16CsmestsLNqHw4Lj7UsLtBY3Ah3hw9V1M 0.0001 0.02
May 29 at 07:01 13t3iiNM24ncjRDvANwWvC3m7WSe9SDQHi 0.1 23.49
May 29 at 17:29 19ND4JwpG68Fft4pxYdFF84ArtAgwc5JSz 0.0001 0.02
May 31 at 02:12 17c58Jbv9752JGdQ25UVL7o6RV3fuMm4PF 0.1 23.23






























Table. Locker’s author received 22 ransom payments amounting to $169

Why repent?
The malware author must have put a considerable amount of time and work into writing the crypto ransomware, setting up the command-and-control infrastructure, and distributing the malware—so why the sudden change of heart? While we do not know for sure why the author tried to make amends, we can offer some hypothetical reasons: 

  • Someone caught the malware author and threatened to reveal their identity or report them to the authorities. 
  • Given the reported low earnings of this crypto ransomware, the malware author realized that the risk versus the penalties of getting caught was not worth it.  
  • The command-and-control infrastructure for the crypto ransomware was compromised and the malware author lost control of the threat. 
  • The malware author actually regretted their actions. Crypto ransomware malware authors have been known in the past to have a conscience, as we highlighted in an earlier blog: ‘OMG a Ransomcrypt Trojan with a Conscience!

Damage done
Although the crypto ransomware author now looks to have repented and is trying to make amends, they still broke the law and caused their victims countless worries, time, and money trying to rectify the damage. Also, the victims who have already made efforts to clean up their computer may not be in a position for the malware author to unlock their encrypted files anymore, causing further problems. While the malware author claims that they are sorry for the trouble, I don’t believe that the victims will accept this apology. 

Symantec and Norton customers are protected against this threat through our Trojan.Cryptolocker.V detection. Please visit our Ransomware: How to stay safe blog for more information on how to stay safe from the dangers of crypto ransomware. 

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.