(Locky) Ransomware author's bravado shot down by release of decryption keys

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

So explain this.

The last few locky spams I've gotten had .js files packaged as .zip.

When you look for video examples of people messing around with locky
exploit files (they're triggering the malware to run on their system and
showing it encrypt files in real-time) - the locky examples are .doc
files - the ones that leverage a particular word macro exploit.

I can't find any such examples of people messing with the .js locky

And I can find no description of a use-case as to how the .js exploit is
triggered from an email spam attachment.


Ransomware author's bravado shot down by release of decryption keys

March 14, 2016

Security researchers have put a pompous computer criminal in their
rightful place after releasing the decryption keys for their ransomware.

Lawrence Abrams of Bleeping Computer writes that the ransomware, which
was released last week, encrypts users' files using AES encryption,
appends the .LOCKED extension to all files, and demands that victims pay
a fee of 0.5 BTC (approximately US $210) in exchange for the decryption
key. All things considered, a pretty standard piece of malware...

...with a truly annoying developer behind it.

In their ransom note, the extortionist prides themselves on their
experience creating malware and on their success in hiding from the
authorities. You can read the message in full here, but provided below
is a selection of some of the developer's more "self-assured" comments:


    "You'll never be able to find me. Police will never be able to find
me. Go ahead and try them if you like, but don't expect your data back.
They will be concerned about helping the community, not with helping you
meet your deadline. If they say they need to keep your desktop for a few
days, well lol, you probably won't be seeing your machine again soon,
let alone your data. I've been doing this for five years now and haven't
been caught yet."

    "...Just be thankful that it wasn't worse. I could have asked for
more money. I could have been working for ISIS and saving that money to
behead children. I could have been a mean SOB and just destroyed your
data outright. Am I those things? No. I just need the money to live off
of (true story) and don't care at all about the hacker 'community'. So
there isn't anyone you will be protecting by sacrificing yourself. I'll
just encrypt more people's data to make up for the loss."

That's more than enough to get anyone's blood boiling.

Fortunately, the developer has since been served their just desserts.

Though they succeeded in infecting 700 victims over the course of one
day, including three users who ended up paying the ransom fee, the
ransomware author originally based their malware on EDA2, a
file-encrypting project which found itself in hot water earlier this
year when a criminal used it to develop the ransomware known as Magic.


Utku Sen, the man behind the project, intentionally inserted a backdoor
into his code when he first developed EDA2 to make sure he could check
potential abuses of his code. It is this backdoor access Sen leveraged
in this particular case to obtain a list of decryption keys, which are
now available for download.



To be sure, some thanks are owed to Utku Sen for helping the hundreds of
users affected by this ransomware. However, it's worth noting that none
of this would have happened if the researcher hadn't published his EDA2
project online in the first place.

Malware analysis is a good thing. It teaches us about how online threats
continue to evolve on a day-to-day basis.

Even so, only researchers with abundant technical expertise should be
able to access samples of malicious code. Malware should never be
published online for any reason; bad actors will always find a way to
co-opt the code for their own nefarious purposes.


Re: (Locky) Ransomware author's bravado shot down by release of decryption keys

Virus Guy pretended :
Quoted text here. Click to load it

The user clicks on the unzipped js file. You shouldn't assume that the  
user is never involved in the vector.

Re: (Locky) Ransomware author's bravado shot down by release of decryption keys

Quoted text here. Click to load it

Why, do you think, that there are several keys in the .csv file with..

!!!Error decrypting key!!!

??  Are those folks just out of luck ?


Re: (Locky) Ransomware author's bravado shot down by release of decryption keys

On Tuesday, March 15, 2016 at 10:05:13 PM UTC+8, Virus Guy wrote:
Quoted text here. Click to load it

The braggart ransomware author sounds like our own Dustin of this group, except the author has a better skill set.


Site Timeline