Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dr.Web quietly decrypting TorrentLocker for paid customers or distributors


  • Please log in to reply
56 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:06 AM

Posted 21 August 2015 - 03:30 PM

It appears that for the past 4 months, Dr.Web has been quietly decrypting TorrentLocker encrypted files for their paid customers. I am not going to begrudge a company for trying to make money off their hard work and would have happily referred victim's to their site to purchase a $30 USD license if it could get their files back. What I find strange, though, is the complete lack of public information about their ability to decrypt the files and their refusal to respond to queries by myself and other members of the security community.

 

us-ransom-note-thmb.jpg



Previous Analysis of the ransomware shows that each victim has its own unique AES decryption key that is used to decrypt their files. That would mean that the only way to decrypt encrypted files would be to have access to the decryption keys from TorrentLockers Command & Control server. Due to this, it came as a surprise when in May 2015, a member named Wallak posted that paying customers of Dr.Web products were able to get their files decrypted for free.
 

Ok guys, seems that Dr.Web Russian antivirus has a solution. Some of my web visitors have confirmed that buying some product (antivirus, internet security suite, etc...) customers have a FREE tool to decrypt the files (a DOC file must be sent to the experts to get back the KEY with their tool to decrypt).
It works, I checked it, and also the KEY the send put inside (patching) the decrypters from the pirates, also work, so it is the real KEY.


Wallak further stated that he heard about this from Dr.Web partners in Spain.
As this seemed suspicious that a well-known company would have the ability to help victims and was not making it public, we were suspicious of this post. I therefore decided to reach out to Dr. Web and try to get confirmation. I emailed them and explained how we are trying to get information about whether they could actually decrypt TorrentLocker files before we referred visitors to them. To my surprise, I received a response back from Boris Sharov, the CEO of Dr.Web, who said they do not classify ransomware by their name, but rather by their own designation. He said I could send some files in and someone would get back to me whether or not they could decrypt it. I sent some files, waited 10 days, emailed them again about it, and never heard back.

Today, someone else posted on BleepingComputer.com about an Italian site called www.decryptolocker.it that states that it can help get the decryption program for victims affected by TorrentLocker and CryptoL0cker. It further explains that they are a distributor of Dr.Web and are able to work with them to get a decryption program made if you send a couple of encrypted files in. This site does not require you to purchase a Dr.Web license.

 

decryptolocker.it.jpg



A sample of one of these Dr.Web decryption programs called te225decrypt is shown below.

 

te225decrypt.jpg



Overall, this whole revelation has been welcome, surprising, confusing, and suspicious all rolled into one. The fact that they never responded to queries from myself and others, never publicly announced that they were able to decrypt this ransomware, and we have only heard about it through distributors just feels odd.

Regardless, this is still welcome news for those affected by the TorrentLocker ransomware and we hope that you will be able to use Dr.Web to recover your files. As for Dr.Web, we would still love to see some official reply from them regarding this.


BC AdBot (Login to Remove)

 


#2 TheJokerz

TheJokerz

  • Members
  • 286 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:12:06 AM

Posted 21 August 2015 - 03:50 PM

Hmm that does seem kind of odd!!


utl8q0-5.png


#3 GT500

GT500

    Authorized Emsisoft Representative


  • Security Colleague
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fortville, Indiana, USA
  • Local time:12:06 AM

Posted 21 August 2015 - 04:14 PM

They're able to get the private key... How?

I can see why you find this suspicious. It conjures up some pretty crazy theories, at least in my mind. Personally, I hope those theories are all false, and they just have some really smart people working for them. :wink:

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#4 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 21 August 2015 - 06:14 PM

Something is off...



#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:06 AM

Posted 21 August 2015 - 06:53 PM

Maybe they found a weakness in the encryption. It wont be the first someone analyzed a malware and missed something that others saw. Just found it odd that never responded to queries regarding it.

#6 silumor

silumor

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 22 August 2015 - 07:49 AM

Yeah kinda seems fishy to me. I mean why not advertise if you and you only have been able to break such encryption.

Creator and Saviour of the same affliction is not unheard of. Who knows but them.



#7 gkuhns

gkuhns

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 22 August 2015 - 03:13 PM

Maybe they hacked the hackers and got the key that way :)



#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:06 AM

Posted 22 August 2015 - 05:46 PM

I do not think they are affiliated in any way with the malware devs. Dr.Web is a legit company. Just strange that so many people are affected by this ransomware and they have remained silent about it.

Hell, I wouldn't have cared as much if they said they could help, but people would have to buy a license of their software. At least it would have been a hell of a lot cheaper.

#9 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,393 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:02:06 PM

Posted 22 August 2015 - 09:37 PM

I know several people and 1 company that would have gladly paid Dr Web $ 100 for a license instead of paying the bad guys up to $1000.  It could be quite a little gold mine for them, Strange.



#10 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:12:06 AM

Posted 22 August 2015 - 10:28 PM

That just seems fishy to me...

 

Regardless, if it works and you really need your data, then I would pay the 100 bucks and pray it works (this is why backups on external drives are a good thing folks!)


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 23 August 2015 - 09:08 AM

I do not think they are affiliated in any way with the malware devs. Dr.Web is a legit company. Just strange that so many people are affected by this ransomware and they have remained silent about it.

Hell, I wouldn't have cared as much if they said they could help, but people would have to buy a license of their software. At least it would have been a hell of a lot cheaper.

The only reason I can think is that they would think that people would think badly of them for requiring people to buy a licence in order to decrypt file (rather than offering it for free), hence the keeping quiet.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 UNC61

UNC61

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fancy Prairie, IL
  • Local time:11:06 PM

Posted 23 August 2015 - 10:11 AM

   Fishy, maybe, but we do not know. Seems that I remember there were a couple of occasions when Crypto-criminals had holes in their programs and the discussion about it got into the open press. It was not long after that when there was a new unbreakable version of the malware. That was my initial thoughts and if that is Dr. Web's reason for not being forthcoming, they may be justified. Just saying. 

   As for trust, and I will not be disappointed if this post is pulled but, Dr. Web is not a company that I would endorse at the same level as MalwareBytes or Unchecky, lets say. However, the experience goes back to Win98SE/Me/early WinXP era and I have not researched it since then. I would never accuse them of being fully forthcoming and that may be the means they maintain some of the proprietary hold on their products.

   I would suggest that we should not convict Dr. Web without having solid evidence of malfeasance. If, in fact, they can break encryption of certain forms of ransomware, it leads me to believe that we do not understand the encryption as well as we should. It certainly compels me to investigate its vulnerabilities ever more profoundly. 

   If my business needed their assistance and the criminals had asked $1K for the key, I would gladly pay Dr. Web the same $1K or even $5K for a solution. The point is that when dealing with criminals, it leads to more blackmail or extortion. When dealing with legit companies, the fear of that is greatly relieved.



#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:06 AM

Posted 23 August 2015 - 11:07 AM

Fishy, maybe, but we do not know. Seems that I remember there were a couple of occasions when Crypto-criminals had holes in their programs and the discussion about it got into the open press. It was not long after that when there was a new unbreakable version of the malware. That was my initial thoughts and if that is Dr. Web's reason for not being forthcoming, they may be justified. Just saying.


There is one thing to say that we can decrypt it and another to explain how they are doing it. It was only those times that the companies actually released the flaw that the flaw was fixed. Those that just fixed without disclosing how, were not.

#14 ZombieWorm

ZombieWorm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 23 August 2015 - 02:48 PM

This is a good scoop!

 

Historically I have used Dr.Web a number of times to boot into and clean an infected machine. In this respect I hold them in high regard - tool works well.

 

The question that leaves a bad taste (that most may be thinking after reading this) is that as the origin of most underworld and these ransomware programs lead us back to russia, which is where the elephant in the room occurs. Dr.Web is a russian company so how are they obtaining the key in an ad-hoc fashion, and why are they content with helping out as long as they get a licence fee from the unfortunate issue..?



#15 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:06 PM

Posted 23 August 2015 - 06:33 PM

It seems logical in some way that they would keep this on the low. By announcing it loudly the flood of victims would pile up at their door and attract attention from the malware developers.

 

There's no shortage of people to assist with these infections, so just helping those they can rather than broadcasting their service might be more effective at helping people.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users