New ZeroLocker crypto-ransomware offers discount for paying up quickly - or $1,000 in Bitcoin

New ZeroLocker crypto-ransomware offers discount for paying up quickly - or $1,000 in Bitcoin

Summary: File-encrypting ransomware keeps rolling in with a new gang that appears to be beta-testing its product.

SHARE:
TOPICS: Security
4
zerolockerscreen
Image: Kaspersky

The recent arrests of criminals behind the GameOver Zeus botnet may have disrupted the CryptoLocker ransomware earlier this year, but it's left an endless stream of copycats in its wake.

Researchers this week identified yet another piece of crypto-ransomware for Windows machines called ZeroLocker. Like its predecessors, such as CryptoLocker, the malware encrypts files on infected machines with a strong encryption algorithm. The attackers then demand the victim pay a sum of money in order to buy the decryption key.

ZeroLocker has borrowed a few techniques from CryptoLocker to coerce victims to cough up payments early, according to Russian security vendor Kaspersky Lab. 

As some victims found after becoming infected by CryptoLocker, the "decryption service" could be bought for around $200 using either Bitcoin or MoneyPak within 72 hours of the infection. If they didn't pay in that time, the price would rise to $2,232.

ZeroLocker's operators put a positive spin on the same coercive technique, promising an "early bird" price of $300 for a "license" to the decryption key within five days of infection. After that, the price rises to $600, before peaking at $1,000 after 10 days of non-payment.

ZeroLocker also only accepts payments in Bitcoin, meaning that at today's exchange rate, victims would need to buy 0.63 BTC to acquire the key in the early bird phase.

The recent file-encrypting attack on Synology's network attached storage (NAS) devices similarly demanded payments only in Bitcoin. According to a researcher from Finnish security vendor F-Secure, the gang behind the SynoLocker attack lately closed the operation and were offering to sell 5,500 private keys from it for 200 Bitcoin (roughly $95,000).

According to Kaspersky Lab researcher Roel Schouwenberg, ZeroLocker stands out from other similar attacks as it indiscriminately encrypts files.

"ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe," Schouwenberg noted.

Victims of course need to decide for themselves whether to pay the ransom, and while most security experts and law enforcement advise against payment, some victims inevitably do pay to resolve the issue — even police departments.

But in this case, according to Schouwenberg, even though ZeroLocker victims probably won't be able to crack the secret key, they should not pay the fee either, due to a botched implementation of the botnet used to control infections.

"The malware generates one random 160-bit AES key to encrypt all the files with. Due to the way the key is generated the key space is somewhat limited, though still large enough to make general brute forcing unfeasible.

"After encryption the malware runs the cipher.exe utility to remove all unused data from the drive, making file recovery much harder. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet is sent to the server.

"Interestingly enough, the encryption key along with the other information is sent through a GET request, rather than a POST. This results in a 404 on the server. This could mean that the server is not storing this information. That means victims who pay up may likely not see their files restored."

Schouwenberg speculated these bugs may be why it hasn't detected too many infections yet, and why its inspection of Bitcoin wallet addresses associated with the botnet aren't showing any transactions.

Read more on this story

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Why are people still using Windows?

    'directories containing the words "Windows",'

    You'd think after being a "Target" of thieves, people would learn. Nope.
    Tony Burzio
    • Why are people still using Windows, you ask?

      Naturally, they like getting stuff done.

      You would think people like you would have learned that. Nope.
      William.Farrel
  • Cannot stress it more: protect, protect protect

    The recent attempt to bring down Cryptolocker has only caused a surge in the hearts of the cyber criminals. It's hard to keep up with them. I had heard of cryptowall and critoni, but not of zerolocker. While I don't know about these zerolocker, a good software to get rid of cryptolocker was Rollback Rx. It is an instant restore software that removes this ransomware.
    fastjt
    • Did I miss it?

      What is the attack vector? What systems (Windows XP vs Windows 8+) are affected? Which applications are vulnerable (Office 2000 vs Office 2013, IE 11 vs IE 8 vs Chrome)?
      Earthling2