New ransomware that utilise encryption are being created almost daily since the success of Cryptolocker and in almost all cases there is no way out for the affected user: either pay or forget about the files. However, a new Ransomcrypt Trojan detected recently lets users request a decryption key without paying – that is if they wait for a month.
According to a Kevin Savage of Symantec Ransomcrypt Trojan isn’t different from any other Trojan in the same family, but the authors of the Trojan claim that if users don’t wish to pay the ransom to get the unlock key they are entitled to a free unlock if they wait for a month from the day their personal files were encrypted.
“P.S. Remember, we are not scammers. We don’t need your files” reads the ‘how to get data.txt’ file that comes along with the Trojan.
“If you want, you can get a decryptor for free after a month. Just send a request immediately after infection. All data will be restored absolutely. Your warranty – decrypted samples and positive feedbacks from previous users.”
According to the information posted by Savage all encrypted files are given an extra extension of ‘OMG!’ and the text file containing the information on how to retrieve the data is listed in the directory where the encrypted files are present.
The security researcher notes that infected users will find a string of characters in the ‘how to get data.txt’ file and this string is made up of encrypted cryptographic key and infection timestamp. The encrypted cryptographic key is used to encrypt and decrypt the files of users. The key is encrypted with the public key (RSA) that is included in the configuration file of the Trojan.
The ransomware authors have the corresponding private key using which they can recover the original cryptographic key used to encrypt users’ files. It is likely that they are using the infection timestamp to verify when a user’s data was encrypted.
Savage notes that most of such ransomware automate the process of key retrieval, but the authors of the new Ransomcrypt Trojan have opted for a manual approach – possibly because they want to really offer a free decryptor!
