the infection cannot cause anymore damage. The only thing rkcl.exe can do after encryption is poll 2 sites, blockchain, and the decryption server to check payment, and then send the keys. I do not trust any virus creator, but I do know that if you have already been infected by locker, running rkcl.exe will not cause further damage to the machine. I can also make a decryption utility, but i fear it will not help victims that deleted the virus, as you need the BTC address to associate which key is yours.
With all due respect c'mon you know better than that!
I understand rkcl.exe does the encryption. Have we verified with certainty that it won't update itself to encrypt other kinds of files? Or that it won't download more malware? Or for that matter won't make a good effort at erasing MBRs just for laughts?
I'll wait for someone that hasn't unleashed havoc to build a tool to unencrypt and run that on whatever files I haven't been able to recover (which thankfully won't be much).
Anything other than a complete restore from a known good backup means you're going to have to find a way to validate each and every file.
EDIT: Also I caught it before it finished encrypting everything and never got the ransom demand. I'm not unleashing it on the rest of my machine. I would be taking quite a gamble that this virus author is telling the truth and the unencryption will happen June 2nd. No thanks. What do we need here? Some guy in a giant squid head yelling "It's a trap"? Or if you prefer Trek to Wars "Fool me once"...
I got one of my files to unlock with a very quick and dirty block of code. It's fairly straight forward.
*Edit* Make that all of them. I didn't have many files that got hit, though. There is hope!
I know you say it's quick and dirty, but would you mind sharing in source form?
"With all due respect", why come in here questioning Nathan? I understand where you're coming from, but you must be uninformed. Nathan has a lot of experience with disassembly, decompiling, and general analyses of ransomware; he has spent plenty of time manually deobfuscating heavily obfuscated binary files and has created several decryption utilities that were provided for free in the past.
I am willing to bet that when Nathan makes a statement regarding the mechanism of action of a ransomware variant, he does so after disassembling and/or decompiling the associated binary; that his statements result from the review of the [raw] code in question, rather than blind claims like your response to him infers.