Decryption Keys Now Available for CryptoLocker

This is some of the best news the world of anti-viruses and anti-malware could have hoped for - FireEye in conjunction with Fox-IT have found and released a potential way to retrieve the private decryption key needed to decrypt files infected by CryptoLocker. cryptolocker imageWe have previously written several articles on CryptoLocker, the ransomware that began infecting computers 3rd quarter of 2013, and demanding payment of originally $300 and up to 10 Bitcoins (which hit a high of over $1200 per Bitcoin) or over $12,000 USD to be sent the decryption key.  For more information on CryptoLocker see this article and this article.

Until now the only way to decrypt your files was to pay the ransom and be sent the decryption key; many companies, without enterprise level backups, found themselves doing exactly that.  Those who had an enterprise level backup in place had more options for restoring backups and filling in any gaps with a relatively small amount of data entry.

Recently law enforcement in association with other groups including FireEye and Fox-IT, had made major breakthroughs against the perpetrators of CryptoLocker during Operation Tovar.  During the operation some of the decryption keys were discovered and those are being made available.  It's not a sure fire solution for those with encrypted files, but it's a chance they didn't have before.

To find out if the decryption key someone needs is available they need to go to the website that's been setup by FireEye and Fox-IT.  Once at the site you'll upload one of your encrypted files and submit it along with an email address for the decryption key to be emailed to.  They will attempt to decrypt your files with one of the discovered decryption keys and if they're successful you'll receive an email with the key and instructions on how to decrypt the remainder of your encrypted files. 


CyberVor May Have Stolen 2 Million Passwords

On the heals of the good news about CryptoLocker decryption keys being found, here's some bad news about another cyber crime group out of Russia called CyberVor who has stolen what is believed to be the largest number of online credentials to date.

The name CyberVor is not as strange as it seems, as vor is simply Russian for thief.  This is not a name they've given themselves, but rather then name given to them by the company that discovered their actions.

It is believed that CyberVor has successfully stolen 1.2 billion usernames and passwords, along with 542 million email addressees from over 400,000 different websites.  That is a nearly unbelievable amount of data.

The information comes to us from Milwaukee company Hold Security who has used DefCon in Las Vegas to announce their discovery of the theft.  As a part of the announcement Hold Security is also promoting it's identity monitoring services.

Hold Security has said, "Hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable."  The reason they are still vulnerable per Hold Security is CyberVor used botnets to identify websites with SQL injection vulnerabilities to acquire the data.  In layman's terms they used a flaw in the way certain websites are programmed to gain access to the data.

One of the concerns with this discovery, as outlined by Graham Cluley's blog "Security firm that revealed 'billion password' breach demands $120 before it will say if you're a victim", is that Hold Security is not offering up much detail on the discovery.  Hold Security has not provided information on which sites it's determined where victims of the attack and thereby what online users should be concerned, nor have they provided details about a timeline, other than it was a 7 month investigation.

As an alternative to providing Hold Security $120 and your passwords, which no IT professional I've ever met would recommend, go to HaveIBeenPwned to find out if your account has been part of one of any large data breaches.  Below is an image of what information a breached account will receive. Have-I-Been-Pwned In the end I have to say we all at Top Speed agree with Graham Cluley, there is something not right about this kind of a major disclosure with so little real facts being provided and the only way to find out if you're a victim costs you both money and submitting your passwords.

A couple of fake websites setup to look like Hold Security's password and email submission page and people will just be victimized all over again...


UPS Store On Keystone Avenue Reportedly Breached By Malware

UPS Stores have reported that malware has been found on Point of Sale (PoS) systems in 51 stores around the country including one locally on Keystone Avenue.  Twenty-four states are reported to have stores affected by this malware.

This particular malware went undetected for quite sometime as it was not caught by anti-virus software.  The malware found is believed to have compromised credit and debit card information, as well as postal and email addresses.

The breach includes approximately 100,000 transactions between January 20, 2014 and August 11, 2014, dates vary by specific location.  UPS spokesman Chelsea Lee has said the company is not currently aware of any fraud related to the attack.

If you or anyone you know has shopped with a credit card at the Keystone Avenue location or any other UPS Store make sure you take necessary steps to protect yourself and pass the information on to others who may also be affected.  Currently the UPS Store's advisory says they do "not have sufficient customer information to contact potentially affected customers."  So it is now to the communities and social media to spread this information so anyone who may have been affected can act before they experience any kind of credit / debit card fraud.

From Tim David, President of The UPS Store, "Please know we take our responsibility to protect customer information seriously and have committed extensive resources to addressing this incident. We understand this type of incident can be disruptive and apologize for any anxiety this may have caused."

If you shopped at The UPS Store and are concerned you're at risk make sure you make use of the free credit monitoring being offered.  For a full list of affected stores, see below.  For the Data Security Incident Information or All Clear ID protection being offered click here.

This is another example of the kind of PoS malware previously seen in the Target breach.  It seems clear that PoS malware is becoming a larger and more serious threat to retail stores and it is important companies take steps toward securing their Point of Sale systems. UPSStore1     UPSStore2     UPSStore3


A Copycat Of CryptoLocker Has Appeared In The Wild

Another group has made a copycat of CryptoLocker, and they've gone so far as to even use the CryptoLocker name.  Although recently some users are now seeing the infection as TorrentLocker, perhaps the original creators of CryptoLocker are feeling territorial about use of their name.  Beyond stealing the name and being a ransomware infection, these two infections are not the same.

This new CryptoLocker works to encrypt all of your data and renames the files with a .encrypted file extension; although this version does not delete shadow volume copies which in some cases can be used to recover files. You then receive a ransom note, so to speak, giving you a link to purchase the decryption key for your files.  The cost for the decryption key is 1.8 Bitcoins and interestingly is posted as AUD, Australian currency.  1.8 Bitcoins may seem like an odd amount, but at the time of this CryptoLocker's release it was equal to 1,000 AUD.

Upon clicking the link you're sent to a website that, at least in some screen shots, provides a Buy It Now price and a Buy It Later price as well as the total number of files encrypted.  Clearly wanting to make sure you are able to buy the decryption key you are also offered information on how to register a Bitcoin wallet and how to purchase Bitcoins. TorrentLocker This infection is using a static Bitcoin address so anyone can go see the payment activity associated with those purchasing the decryption key.  As of this morning total Bitcoins received stands at 77.52790304 BTC or roughly $36,876 USD since late August. The cyber criminals haul is over $35k USD in just over 2 weeks.  Looking at booty like that and it should become clear to everyone why this kind of crime isn't going anywhere and why having a quality enterprise backup solution is a must have for any business. Call or email Top Speed today to learn what an Enterprise Backup Solution will do to protect your company's valuable data. 775-852-1811 or This email address is being protected from spambots. You need JavaScript enabled to view it. 

Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844


Physical Address:

8755 Technology Way

Suite J

Reno, NV 89521

Log in or Sign up