Malware

Locker ransomware author quickly apologizes, decrypts victims’ files

Share

Almost as quickly as reports of new ransomware, dubbed “Locker,” prompted security experts to warn users of the threat, the author of the malware posted a message on Pastebin apologizing for resulting scams.

Along with their apology posted on Saturday, the malware author “Poka BrightMinds” also dumped the complete database of the malware's decryption keys, so that victims could restore their "locked" files. The author added that automatic decryption of some files would start on Tuesday at midnight, and that, as of the posting, “most of the keys weren't even used,” but that “all distribution of new keys has been stopped.”

Details about the Locker ransomware surfaced last week, after a lengthy thread on BleepingComputer.com, which discussed the malware and included screenshots of the warning messages to victims.

In Tuesday email correspondence with SCMagazine.com, security researcher Lawrence Abrams, the creator and owner of BleepingComputer.com, confirmed that “the Locker developer kept their promise and decrypted everyone who was still infected for free,” that day.

Locker was previously known to run silently run on victims' computers until it was activated. At that point, the malware would employ RSA encryption to lock users' files.

Symantec, which analyzed the ransom payments victims made via Bitcoin, said in a Tuesday blog post that the author only made $169 from victims before closing up shop, speculating that “the sudden change of heart” by the author may have been brought on for a number of reasons, such as fear that law enforcement were on their tracks, that the risk of getting caught was not worth their earnings, or that the command-and-control infrastructure for the malware itself was compromised.

Another option?

“The malware author actually regretted their actions,” Symantec added.

“Crypto ransomware malware authors have been known in the past to have a conscience, as we highlighted in an earlier blog: ‘OMG a Ransomcrypt Trojan with a Conscience!'” the blog post said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.