The creators of CryptoLocker, a piece of malware that encrypts user data and holds it for ransom, are giving users who removed the malicious program from their computers a second chance to recover their files, but at a much higher cost.
CryptoLocker is a malicious program that falls into a category of malware called ransomware. Once installed on a computer, ransomware applications typically prevent victims from accessing their files or even their operating system until they pay money to the malware authors.
Security researchers generally advise users against giving into this kind of extortion and in many cases there is a way to regain access to everything without paying up.
However, CryptoLocker uses solid public-private key cryptography to encrypt files that match a long list of extensions, including documents, spreadsheets, images and even AutoCAD design files. According to researchers from antivirus firm Sophos, the malware's creators got the encryption process right and there's no method to get the decryption keys, which are unique for every computer and are stored on attackers' servers, without paying up.
After it infects a computer, CryptoLocker displays a message informing victims that if they don't pay the equivalent of US$300 or €300 in Bitcoins, a virtual currency, or via MoneyPak, a type of prepaid card, within 72 hours, the unique decryption key for the files will be automatically destroyed.
Users who regularly back up their data can clean their computers and restore the affected files from backups, but users who don't have backups should consider those files lost, the Sophos researchers said.
Some files might be recoverable using the Shadow Copy technology, which is is an integral part of the System Restore feature in Windows.
However, even users who have backups might realize that they're not enough to repair the damage done by the malware. Those backups might be too old or they might not include files from remote network shares that have also been encrypted by the malware.
It seems that the creators of CryptoLocker considered that possibility and realized that some users might have initially removed the malware, but then, for whatever reason, changed their mind about paying up. As a result, they've recently started offering an online decryption service that allow such users to still recover their files, but at a much higher price.
"Apparently the crooks will now let you buy back your key even if you didn't follow their original instructions," Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos, said Monday in a blog post. "Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind."
Sign up for CIO Asia eNewsletters.