Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Locker" Ransomware Author Allegedly Releases Database of Private Keys


  • Please log in to reply
28 replies to this topic

#1 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:36 AM

Posted 30 May 2015 - 03:04 PM

Noticed a post in the Locker thread about this, so I decided to check it out.  Allegedly, the author of the "Locker" ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts worldwide to the public.  The "author" claims that the release was a mistake, that no further keys will be utilized for encryption, and that automatic decryption of all affected hosts will begin on June 2nd.

 

This is the post made by the alleged author, uploaded to Pastebin on 05/30/2015

Hi,
 
I am the author of the Locker ransomware and I'm very sorry about that has happened. It was never my
intention to release this.
 
I uploaded the database to mega.co.nz containing "bitcoin address, public key, private key" as CSV.
This is a dump of the complete database and most of the keys weren't even used.
All distribution of new keys has been stopped.
 
hxxps://mega.co.nz/#!W85whbSb!kAb-5VS1Gf20zYziUOgMOaYWDsI87o4QHJBqJiOW6Z4
 
Automatic decryption will start on 2nd of june at midnight.
 
@devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and
files are encrypted with AES-256 bit using the RijndaelManaged class.
 
This is the structure of the encrypted files:
 
- 32 bit integer, header length
- byte array, header (length is previous int)
*decrypt byte array using RSA & private key.
 
Decrypted byte array contains:
- 32 bit integer, IV length
- byte array, IV (length is in previous int)
- 32 bit integer, key length
- byte array, Key (length is in previous int)
 
- rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key
 
Again sorry for all the trouble.
 
Poka BrightMinds
 
~ V
 
Based on a brief analysis, the file seems non-malicious and does contain a large quantity of RSA keys.  Open at your own risk, until further analyses are performed.
 

File Information

 

Name: database_dump.csv

Size: 127.5 MB

MD5: d4d781412e562b76fe0db0977cf6279b

SHA-1: 6ba671ce2a6c256c74d7db81186b0dbddd5e2185

SHA-256: d7fd791b86615fada64fe0290aecb70e5584b9ac570e7b55534555a3b468b33f

 

VirusTotal: https://www.virustotal.com/en/file/d7fd791b86615fada64fe0290aecb70e5584b9ac570e7b55534555a3b468b33f/analysis/1433015747/

 

Update 05/30/2015 4:23 PM: A Malware Response Team member has confirmed that the CSV file contains Bitcoin addresses and RSA keys.


Edited by White Hat Mike, 30 May 2015 - 03:24 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 30 May 2015 - 03:07 PM

Will Fabian, Grinler or Nathan work on a decrypter using the private keys if the people who already removed the Locker Ransomware don't get their files decrypted automatically?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:36 AM

Posted 30 May 2015 - 03:18 PM

Hi White Hat Mike,

 

I have confirmed that the file contains keys matching the bitcoin addresses and keys posted here by some of the affected users.

 

I suppose there is hope that some expert can build a decrypter to use those keys.


Edited by SleepyDude, 30 May 2015 - 03:19 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#4 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:36 AM

Posted 30 May 2015 - 03:24 PM

Hi White Hat Mike,

 

I have confirmed that the file contains keys matching the bitcoin addresses and keys posted here by some of the affected users.

 

I suppose there is hope that some expert can build a decrypter to use those keys.

 

Thanks -- updated first post


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#5 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:36 AM

Posted 30 May 2015 - 03:26 PM

Quite odd that the user that posted the URL to the pastebin post created an account here today at 2 PM...  what's the likelihood of accidentally stumbling across a Locker C2 server DB dump?  Weird.

 

http://www.bleepingcomputer.com/forums/u/955467/lolplayer342/


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#6 kimaa

kimaa

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:06:36 AM

Posted 30 May 2015 - 03:54 PM

There is mine bitcoin key also. I returned all files, and i hope so that it will work... There is also public key from data.aa7 file.... woohooo :)


Edited by kimaa, 30 May 2015 - 04:22 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:36 AM

Posted 30 May 2015 - 04:21 PM

I have notified both Fabian and Nathan with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 30 May 2015 - 04:29 PM

Anyone who has been infected by this, I recommend moving the "rkcl" folder back right away if you still have it. For those of you who do not, this infection wad protected with confuserEx 0.4. It sucks to try and analyze in a complete way. But now that we have a little more information that we don't normally have, it should speed up the process a little


Have you performed a routine backup today?

#9 hifrmny

hifrmny

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 30 May 2015 - 05:54 PM

GREAT NEWS but still odd how it all came about I think as mentioned above.  My antivirus quarantined the LDR file so I think I should restore that just before midnight on June 2nd.  All other files are still intact I believe.  That popup message box on my desktop is gone but that might have been removed when my antivirus quarantined the ldr file.



#10 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 May 2015 - 06:19 PM

My key is in there too. Smells fishy to me. I'm certainly not running this malware again until June 2nd in the hope it fixes things instead of doing more damage.

 

This jerk has cost me a week of hell so far and it's no where near over yet for me. If someone trusted by the community creates a tool based on these instructions there are going to be some files I can get back. In the meantime I don't believe a word of this being an accidental release.



#11 scorpion1869

scorpion1869

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 30 May 2015 - 08:57 PM

I'm very sorry about that has happened. It was never my
intention to release this.

 

Again sorry for all the trouble.

 

Sure. If he/she/they were sorry and it really wasn't a intention to release this

 they would refund everyone that paid imo.


Edited by scorpion1869, 30 May 2015 - 09:03 PM.


#12 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 30 May 2015 - 09:08 PM

It is absolutely hard to believe this was a accident when the infection had a timer, there was a active online tor service accepting client requests, and still active methods of distribution. I think its more of the creator made a good amount of cash, and is now getting cold feet / has enough of what he wanted


Have you performed a routine backup today?

#13 mlangsley

mlangsley

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 30 May 2015 - 09:53 PM

A friend of mine just told me that sometimes programmers just get hired to make that kind of works. This is not for defending the creator, but to try to understad why they actually release the info (databse). For me is very suspicious too, but in the situation I am, I really want to belive its gonna work.



#14 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 30 May 2015 - 10:33 PM

will a victim of locker please pm me their BTC address with about 10 encrypted different files so I can start on this decrypter? Thanks.
 


Have you performed a routine backup today?

#15 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:36 AM

Posted 30 May 2015 - 11:48 PM

A friend of mine just told me that sometimes programmers just get hired to make that kind of works. This is not for defending the creator, but to try to understad why they actually release the info (databse). For me is very suspicious too, but in the situation I am, I really want to belive its gonna work.

 

There is no legitimate conclusion that can be drawn with the goal of condoning the activities of the ransomware author.  The command did not have to be issued to infect systems; rather, if it were configured to activate in "logic bomb" fashion, the author could have remedied this.  What about all of the payments that were made?  That have not and most likely will never be returned to those that paid the ransom?  Programmers know exactly what they are writing when they accept a job; I mean come on, they're the ones writing the binaries that manipulate the target's file system...

 

will a victim of locker please pm me their BTC address with about 10 encrypted different files so I can start on this decrypter? Thanks.
 

 

Get on this people...  Nathan is prepared to remediate your file systems!


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users