The recent arrests of criminals behind the GameOver Zeus botnet may have disrupted the CryptoLocker ransomware earlier this year, but it's left an endless stream of copycats in its wake.
Researchers this week identified yet another piece of crypto-ransomware for Windows machines called ZeroLocker. Like its predecessors, such as CryptoLocker, the malware encrypts files on infected machines with a strong encryption algorithm. The attackers then demand the victim pay a sum of money in order to buy the decryption key.
ZeroLocker has borrowed a few techniques from CryptoLocker to coerce victims to cough up payments early, according to Russian security vendor Kaspersky Lab.
As some victims found after becoming infected by CryptoLocker, the "decryption service" could be bought for around $200 using either Bitcoin or MoneyPak within 72 hours of the infection. If they didn't pay in that time, the price would rise to $2,232.
ZeroLocker's operators put a positive spin on the same coercive technique, promising an "early bird" price of $300 for a "license" to the decryption key within five days of infection. After that, the price rises to $600, before peaking at $1,000 after 10 days of non-payment.
ZeroLocker also only accepts payments in Bitcoin, meaning that at today's exchange rate, victims would need to buy 0.63 BTC to acquire the key in the early bird phase.
The recent file-encrypting attack on Synology's network attached storage (NAS) devices similarly demanded payments only in Bitcoin. According to a researcher from Finnish security vendor F-Secure, the gang behind the SynoLocker attack lately closed the operation and were offering to sell 5,500 private keys from it for 200 Bitcoin (roughly $95,000).
According to Kaspersky Lab researcher Roel Schouwenberg, ZeroLocker stands out from other similar attacks as it indiscriminately encrypts files.
"ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe," Schouwenberg noted.
Victims of course need to decide for themselves whether to pay the ransom, and while most security experts and law enforcement advise against payment, some victims inevitably do pay to resolve the issue — even police departments.
But in this case, according to Schouwenberg, even though ZeroLocker victims probably won't be able to crack the secret key, they should not pay the fee either, due to a botched implementation of the botnet used to control infections.
"The malware generates one random 160-bit AES key to encrypt all the files with. Due to the way the key is generated the key space is somewhat limited, though still large enough to make general brute forcing unfeasible.
"After encryption the malware runs the cipher.exe utility to remove all unused data from the drive, making file recovery much harder. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet is sent to the server.
"Interestingly enough, the encryption key along with the other information is sent through a GET request, rather than a POST. This results in a 404 on the server. This could mean that the server is not storing this information. That means victims who pay up may likely not see their files restored."
Schouwenberg speculated these bugs may be why it hasn't detected too many infections yet, and why its inspection of Bitcoin wallet addresses associated with the botnet aren't showing any transactions.