Encryption only excludes data in the directories “Windows”, “Desktop” and “Program Files”. According to Kaspersky, the criminals charge between $ 300 and $ 1000 ransom. This can only be paid in the digital currency Bitcoin.
Kaspersky warns of the newly discovered malicious malware malware Zerolocker for Windows . It is similar to Cryptolocker and can encrypt files with a strong algorithm. For the release cybercriminals demand a ransom. Zerolocker does not selectively encrypt, but regardless of the file type almost all files of an affected system.
safety-2-shuterstock”Zerolocker adds ‘.encrypt’ to all the files it encrypts,” writes Kaspersky researcher Roel Schouwenberg on a blog. “Unlike other ransomware, Zerolocker encrypts virtually all the files in a system instead of just encrypting predefined file types.” The only exceptions are files larger than 200 MB and in the directories “Windows”, “Program Files”, “Zerolocker” and “Desktop”. The malware itself is executed in the directory “C: \ Zerolocker”.
The backers of the new ransomware have also adopted Cryptolocker’s tactic of offering a ransom rebate if a victim buys a key to release his files within five days of the infection. After that, the price doubles from $ 300 to $ 600. The cybercriminals claim $ 1000 from the tenth day of the infection. Affected persons can only pay with bitcoins.
In the case of an infection with an Epresser malware sufferers should not pay, advise security experts and prosecutors. The backers could probably not provide a correct key for decryption because of a bug in Zerolocker.
“The malware generates a 160-bit AES key that encrypts all files. Interestingly, the key is sent along with other data through a GET request, rather than a POST. This leads to a 404 error on the server, “continued Schouwenberg. “That could mean that the server does not store the information at all. Victims who pay are unlikely to see their files being restored. ”
So far Zerolocker is not widespread, which is also due to the error. In addition, a review of the zerolocker botnet belonging Bitcoin Wallet addresses have shown that no transactions have been executed.
However, Schouwenberg believes that recovering encrypted files without a key is unlikely. Although the cybercriminals had limited the size of the key, it was still so large that it would not be possible to identify the key by brute force.
For Cryptolocker is now – but a good eight months after its discovery – a decryption tool ready . It is called DecryptCryptolocker and works on the basis of public keys of criminals. Affected users simply submit a file ciphered by the malware. This determines the private key. The tool does not work for all variants.