Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker developer releases private key database and 3rd party decrypter released


  • Please log in to reply
45 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:27 AM

Posted 31 May 2015 - 09:33 AM

Yesterday the supposed developer of the Locker ransomware released a database dump of all the private decryption keys. Along with this database is a post on Pastebin where he describes the encryption format and then apologizes for releasing the ransomware. The keys have been confirmed to be legitimate and a decrypter has been created by Nathan Scott, the developer of CryptoMonitor and one of our resident ransomware gurus. Information about the decrypter can be found below along with the message from pastebin.

 

Locker UnLocker
 
locker_unlock.png

 
Tool Download:
Locker Unlocker Download Link
Locker Unlocker will decrypt the files infected by "Locker v*" (you can tell if you have Locker if the splash screen has a padlock image on it with a orange BTC logo). The whole key database is included in the decrypter for now, which makes the tool a larger size (a whopping 70megs), sorry about that, It was just to get the tool out ASAP and will change soon.


The steps are as follows:
  • Enter BitCoin Address (Make sure there is no spaces or other characters in your entry! It must only be your BTC Address!)
  • Select your decryption method (List Decryption uses the list the virus created and is the most pratical and recommended method. Directory Decryption attempt to decrypt all files in a given directory. Be careful with this method as any non-encrypted files in the folder will be possibly corrupted. There is validation before decryption, but do not rely on it. If you use this method, copy the encrypted files to a new directory and select it.
  • Select where either your list is (List Decryption Method) or where your Directory is (Directory Decryption)
If you do not know your bitcoin address, you can now brute force your address for victims who deleted their dropper and do not know it. To brute force your BTC Address simply click "Brute BTC" button on the home screen of the application and follow instructions.

Extra Options
  • Remove Encrypted files - This option will prevent the tool from creating backups of the encrypted files next to the decrypted files. It is suggested you NOT enable this option the first run.
  • Create Log - This will create a log of all successfully decrypted files and failed files on the desktop.
Good Luck, and please, in the future run a backup system and use a prevention method to these type of infections like CryptoMonitor, CryptoPrevent, or Hitman Alert


The pastebin message from the Locker developer is:




Hi,

I am the author of the Locker ransomware and I'm very sorry about that has happened. It was never my
intention to release this.

I uploaded the database to mega.co.nz containing "bitcoin address, public key, private key" as CSV.
This is a dump of the complete database and most of the keys weren't even used.
All distribution of new keys has been stopped.

hxxps://mega.co.nz/#!W85whbSb!kAb-5VS1Gf20zYziUOgMOaYWDsI87o4QHJBqJiOW6Z4

Automatic decryption will start on 2nd of june at midnight.

@devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and
files are encrypted with AES-256 bit using the RijndaelManaged class.

This is the structure of the encrypted files:

- 32 bit integer, header length
- byte array, header (length is previous int)
*decrypt byte array using RSA & private key.

Decrypted byte array contains:
- 32 bit integer, IV length
- byte array, IV (length is in previous int)
- 32 bit integer, key length
- byte array, Key (length is in previous int)

- rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key

Again sorry for all the trouble.

Poka BrightMinds

~ V



BC AdBot (Login to Remove)

 


m

#2 Tch0rT

Tch0rT

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 31 May 2015 - 10:18 AM

Thank you so much for this! You guys rock! I almost paid... I got this on two PC's, one where I screenshotted the bitcoin addy and one I forgot to do before I nuked and paved so I do hope you guys get that worked out. :bananas: :bounce: :love4u: :flowers:


Edited by Tch0rT, 31 May 2015 - 10:19 AM.


#3 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:03:27 AM

Posted 31 May 2015 - 12:44 PM

I encourage affected users who utilize Nathan's tool with success to take the money that they otherwise would have spent paying the ransom, and donating it to Nathan for his work.  :)


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#4 ts270890

ts270890

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 31 May 2015 - 01:46 PM

I have deleted the ransomware folders (tor, rkcl etc) Is there any hope I can still recover my encrypted files? I didn't delete them.

#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 10,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:27 PM

Posted 31 May 2015 - 05:11 PM

If he was truly sorry he would also return all the money that people were forced to pay. I bet he has discovered that the cops are about to come knocking on his door any day now and has done this so when it gets to court he can say he has shown remorse for his crimes and try to get a shorter prison sentence.



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:27 AM

Posted 31 May 2015 - 06:30 PM

I have deleted the ransomware folders (tor, rkcl etc) Is there any hope I can still recover my encrypted files? I didn't delete them.


Do you remember the bitcoin address that was given to you? If so, that is all you need.

#7 ts270890

ts270890

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 31 May 2015 - 08:07 PM

 

I have deleted the ransomware folders (tor, rkcl etc) Is there any hope I can still recover my encrypted files? I didn't delete them.

Do you remember the bitcoin address that was given to you? If so, that is all you need.
 


Unfortunately no.

#8 Rengow

Rengow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 31 May 2015 - 08:29 PM

 

 

I have deleted the ransomware folders (tor, rkcl etc) Is there any hope I can still recover my encrypted files? I didn't delete them.

Do you remember the bitcoin address that was given to you? If so, that is all you need.
 


Unfortunately no.

 

Hi, first, thanks so much to Nathan and you for this usseful program. Second, ts270890 try this.



#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:27 PM

Posted 31 May 2015 - 11:14 PM

If he was truly sorry he would also return all the money that people were forced to pay. I bet he has discovered that the cops are about to come knocking on his door any day now and has done this so when it gets to court he can say he has shown remorse for his crimes and try to get a shorter prison sentence.

It's hard not to be cynical for me also. Maybe he has had a change of heart though... decided that all this free and easy money was not worth it. (cough)



#10 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:08:27 AM

Posted 01 June 2015 - 06:42 AM

Well, the good news is that he has released the keys and the prognosis is good.

 

But I remain cynical too .. he said that it was never [his] intention to release this" which raises the question of why it was developed in the first place.

I mean, if you develop some software then generally you intend to do one of three things with it:

 

1) Keep it for you own use only - it wouldn't be useful if released for example, or it's something you know only you will find useful

2) Release it commercially

3) Release it for free.

 

Now, you're not going to find a file-encrypting program that demands a ransom useful for your own purposes which leaves 2 and 3.  It's hardly a charitable program which only leaves option 2.

 

So if it was never intended to be released, what did this guy really want to do with it?  Who was his target audience?

 

Or it could have been his intention to only keep it live for a short time, make a stack and then retract it ... after all, activation was delayed which makes it harder for most folk to identify the entry point and it also could have been inadvertently backed up, so a restore from backups (especially from an image) would restore this ransomware also.

 

Then an apology and database full of keys comes along just a few days later ....

 

While he may have undergone a change of heart (this is possible), it might still be easier to believe that on a "thousands wouldn't" basis.

 

Hmmmm ..... 

 

(Edit: Correct minor mistakes)


Edited by Angoid, 01 June 2015 - 06:45 AM.

Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#11 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:27 AM

Posted 01 June 2015 - 10:03 AM

Never meant to release it? I think not. I agree with others, the dev was feeling the heat or maybe she/he actually has a conscience. I am glad to hear people can get their files back!


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#12 Karam S P

Karam S P

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 AM

Posted 03 June 2015 - 08:02 AM


 

 

I have deleted the ransomware folders (tor, rkcl etc) Is there any hope I can still recover my encrypted files? I didn't delete them.

Do you remember the bitcoin address that was given to you? If so, that is all you need.
 


Unfortunately no.
 
Hi, first, thanks so much to Nathan and you for this usseful program. Second, ts270890 try this.


#13 Karam S P

Karam S P

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:27 AM

Posted 03 June 2015 - 08:09 AM

I have after numerous and sleepless nights and days been trying to figure out if there is a way to decrypt my files. I am talking photos of entire family. Albums 30 years of it. And some work related files also. I read lots of blogs everywhere and was recommended to back up all encrypted files and pave and nuke. I backed up all encrypted files but reinstalled Windows 8. Anyway to dycrypt it still possible or am I hopeless. I deleted rkcl.exe folder etc. So I just have the encrypted files and clean install. HELP HELP HELP and Thank you.
Darn why did I jump the gun and delete that folder. :(

Edited by Karam S P, 03 June 2015 - 08:12 AM.


#14 jimmythedjentleman

jimmythedjentleman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 03 June 2015 - 08:28 AM

Hello everybody, I hope (for the sake of others) that I'm the only one with this problem: After selecting my BitCoin address, selecting an example file (read as: random encrypted by Locker photo) and clicking "start", I get an error that an application has stopped working and I can only force close it. I'm using Windows 8.1. I selected an option that creates log on desktop, but LockerUnlocker doesn't even create the file before crashing. I've already removed Locker, so bye-bye automatic decryption. :( I've been thinking about trying to run LockerUnlocker under Linux via Wine. Can anybody help me with it? I'm so close to recovering my files :( Thanks in advance!



#15 sameer.sattar

sameer.sattar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 04 June 2015 - 06:57 AM

Hi, I am having the same problem as jimmythedjentleman - "application has stopped working" when I click on Brute BTC and select my encrypted file.

 

When I enter my BitCoin Address -  1H76CNN799h2nzZLhQhTs49UnfzytuWby  -  it comes up with message "Could not find your Key! Please check your BTC address and try again. If your address is right, you may not have this infection.

 

When I Click on Brute BTC, it asks me to select encrypted locker file.  When I select one of my files and press "GO" it force closes or comes up with error  "application has stopped working"

 

I am using Windows 7 64Bit.

 

Please help! :(

 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users