CoinVault and Bitcryptor Ransomware Victims Can Now Recover Their Files For Free

itwbennett writes: Researchers from Kaspersky Lab and the Dutch Public Prosecution Service have obtained the last set of encryption keys from command-and-control servers that were used by CoinVault and Bitcryptor,' writes Lucian Constantin. 'Those keys have been uploaded to Kaspersky's ransomware decrypt or service that was originally set up in April with a set of around 750 keys recovered from servers hosted in the Netherlands.

Pretty Amazing Really

[SumDog]

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.

Re:Pretty Amazing Really

[Zocalo]

While it's a worthy effort, I suspect that it's mostly just a PR stunt though since I doubt very many people will actually be able to use these keys to avoid paying the ransom, given that the criminals will indeed switch to new keys pretty much overnight, potentially re-encrypting any data on PCs they have already compromised in the process if they can re-establish control via other C&C servers. Of the potential victims that could benefit from this, once you've eliminated those who have already paid the ransom, written off their data and started over, or were fortunate enough to have good backups to restore from, are there *really* going to be that many left who will also be capable of finding the site with the decryption tools on it? That we don't here the security companies trumpting the numbers of successful decryptions using recovered keys like these makes me think that there are probably not all that many.

Re:Pretty Amazing Really

[Xenna]

"While it's a worthy effort, I suspect that it's mostly just a PR stunt though since I doubt very many people will actually be able to use these keys to avoid paying the ransom, given that the criminals will indeed switch to new keys pretty much overnight, potentially re-encrypting any data on PCs they have already compromised in the process if they can re-establish control via other C&C servers."

AFAIK the guys who did it are now in jail, which makes it a lot harder to change keys. Evene if they didn't catch them all, the remaining bad guys may want to lay low for a while.

So, it looks pretty much like a success to me. Locking these guys up and retrieving the keys is pretty much the best you can do in such a case.

Re:

[Zocalo]

I'm not saying it's not a success or worth doing, just that it's perhaps not *quite* the degree of success that it might seem. Keeping in mind that there likely to be lots of groups trying out this kind of scam, each using their own sets of keys and potentially also distributing them across multiple C&C servers to help mitigate against this kind of countermeasure, then the number of victims for a given C&C server is likely to be quite low to start with. According to the site iteself [kaspersky.com] there are arou

Re:

[Xenna]

Again AFAIK these schemes install a trojan on your system which generates a unique private/public key pair. The private key is sent to the C&C server and stored while the public key is used to encrypt the data and discarded after use. They could even use symmetric encryption since key exchange is not a big problem in this scenario. In any case a new key is generated for each victim and sent back to the C&C server. If this is true, the 15000 keys would correspond to the number of victims (not files).

Re:

[Slashdot Junky]

Shooting would be a problem when bad intel results in a raid of the wrong place. Plus, a dead bad guy can't assist the investigation until we can download the brain.

Re:

[Kjella]

From what I understand these trojans give you a countdown timer before they wipe the key, so I think very few would keep an encrypted system around past that date on the very unlikely chance that the keys will be found somehow. People might drag their feet while the timer is running, but afterwards I expect 99.9%+ will fix their computer wiping the encrypted drive in the process.

Re:

[plover]

I would be surprised if they wipe the keys as fast as the countdown timers claim. Once they wipe a key, they can make 0 money from it. It would be smarter to threaten to jack the rates: "pay us by Tuesday or we double the ransom."

These guys provided 14,000 keys to Dutch law enforcement. It sure sounds like they didn't wipe them.

Re:

[muphin]

The way ransomware works is it encrypts your files, sends the key to a C&C server, then deletes itself so it cannot be intercepted and key reverse engineered.
so the criminals wont be able to encrypt the files as there’s no way to communication with the infected machine.

Re:

[nogginthenog]

Had quite a few customers hit with these. One was running a legacy xBase app and it even encrypted the DBF files! Luckily they had a backup only a few hours old.

Re:

[Impy the Impiuos Imp]

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.

I hope they recovered the keys from the shitheads using this technique [xkcd.com].

Re:

[f3rret]

I've never been hit by one of these, but I realize it can cost people a lot of money due to some shitheads. I'm really glad a lot of these keys have been found and made public. I'm sure this won't be the end of ransomware...people will just use new keys, but hopefully this will help some of those who have clicked on a not-a-flash upgrade or bad e-mail attachment.

The droppers for these things are usually based in websites, no clicking on sketchy attachments required. Simply a plausible(ish) looking e-mail from a plausible(ish) sounding organization with a link to a site that will use a browser exploit of some kind and drop the thing onto the computer.

Hats off to Kaspersky

[Anonymous Coward]

they are truly good guys. Most of their competitors, F-Secure being the exception I guess, would have charged money for this service, or not even bother in the first place.

Re:

[quantaman]

they are truly good guys. Most of their competitors, F-Secure being the exception I guess, would have charged money for this service, or not even bother in the first place.

Full marks to them them for doing this though they're not exactly perfect. It's only been two months since it came out that they were tricking competitors' products into identifying legitimate software as malware [slashdot.org], just like most big companies sometimes they're awesome, sometimes they're terrible.

Re:

[pjt33]

They can't have paid that much, given that they didn't manage to not insert an unwanted space in the word "decryptor". (Unless that was added by the "editor", of course).

750 keys

[Lennie]

So the article says it's 750 keys.

Why do they have a decryption service ?

Why do we need to upload files ? Which could be a privacy problem, annoying when dealing with large numbers of files or large files.

Why not publish the keys ?

And maybe make a small program to make it easier to decrypts files.

Re:750 keys

[Paul King]

it's a download https://noransom.kaspersky.com... [kaspersky.com]

Much Respect!

[JustAnotherOldGuy]

A big salute to the people at Kaspersky Labs and the Dutch Public Prosecution Service.

Talk about earning goodwill, these guys (and gals) just banked a mountain of it as far as I'm concerned.

Re:Much Respect!

[plover]

This certainly isn't their only cool act of public service, either. I saw one of the Dutch guys presenting an interesting topic at Black Hat: How to preserve a powered on system during a raid using mouse jigglers and UPSes, and collecting forensic evidence while preserving chain of custody, good practical advice. The BH crowd eats that stuff for breakfast, but he was providing info that is useful to help train non-technical officers executing a warrant.

Decryption even possible?

[Anonymous Coward]

I dont see why this is even an option. Randomly fry your files, claim encryption, hold for ransom, get money, vanish. Its not like they are operating legally anyway....

Compare that to FBI's Bonavolonta

[Anonymous Coward]

http://finance.yahoo.com/news/fbi-recommends-pay-hackers-infect-185625373.html [yahoo.com]

Joseph Bonavolonta, the Assistant Special Agent who oversees the FBI’s CYBER and Counterintelligence Program in Boston, spoke at the 2015 Cyber Security Summit and advised that companies infected with ransomware may want to give in to the criminal’s demands.

“The ransomware is that good,” Bonavolonta explained to an audience of business and technology leaders during the Q&A. “To be honest, we often