Mark Ward, http://www.bbc.co.uk/news/ on 6th August 2014
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.
The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.
Thanks to security experts, an online portal has been created where victims can get the key for free.
The portal was created after security researchers grabbed a copy of Cryptolocker’s database of victims.
“This time we basically got lucky,” said Michael Sandee, principal analyst at Fox-IT – one of the security firms which helped tackle the cyber-crime group behind Cryptolocker.
In late May, law enforcement agencies and security companies seized a worldwide network of hijacked home computers that was being used to spread both Cryptolocker and another strain of malware known as Gameover Zeus.
This concerted action seems to have prompted an attempt by the gang to ensure one copy of their database of victims did not fall into police hands, said Mr Sandee.
What the criminals did not know, he said, was that police forces and security firms were already in control of part of the network and were able to grab the data as it was being sent.
The action also involved the FBI charging a Russian man, Evgeniy Bogachev, aka “lucky12345” and “slavik”, who is accused of being the ring leader of the gang behind Gameover Zeus and Cryptolocker.
The Gameover Zeus family of malware targets people who bank online, and is thought to have racked up millions of victims.
Cryptolocker was created by a sub-group inside the larger gang, said Mr Sandee, and first appeared in September 2013, since when it has amassed about 500,000 victims.
Those infected were initially presented with a demand for $400 (£327), 400 euros ($535; £317) or an equivalent amount in the virtual Bitcoin currency. Victims had 72 hours to pay up or face the keys that would unlock their files being destroyed.
Analysis of the back-up database indicates that only 1.3% of all the people hit by the malware paid the ransom.
Despite the low response rate, the gang is believed to have netted about $3m from Cryptolocker. Many of those caught out did not pay because they were able to restore files from back-ups.
However, others are believed to have lost huge amounts of important files and business documents to the cyber-thieves.
“There’s a bit of guesswork in that figure because some of it was paid in bitcoins and that does not have a fixed exchange rate,” said Mr Sandee.
Now, security firms Fox-IT and FireEye – which aided the effort to shut down the Gameover Zeus group – have created a portal, called Decrypt Cryptolocker, via which any of the 500,000 victims can find out the key to unlock their files.
“All they have to do is submit a file that’s been encrypted from that we can figure out which encryption key was used,” said Greg Day, chief technology officer at FireEye.
Mr Day said people wishing to use the portal should submit a file that did not contain sensitive information to help it verify which key they needed.