Locker ransomware author dumps database of private keys, apologizes

Posted on by Dissent

Wow. Seen on Pastebin last night:

Hi,

I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.

I uploaded the database to mega.co.nz containing “bitcoin address, public key, private key” as CSV.

This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.

https://mega.co.nz/#!W85whbSb!kAb-5VS1Gf20zYziUOgMOaYWDsI87o4QHJBqJiOW6Z4

Automatic decryption will start on 2nd of june at midnight.

@devs, as you might be aware the private key is used in the RSACryptoServiceProvider class .net and files are encrypted with AES-256 bit using the RijndaelManaged class.

This is the structure of the encrypted files:

– 32 bit integer, header length
– byte array, header (length is previous int)
*decrypt byte array using RSA & private key.

Decrypted byte array contains:
– 32 bit integer, IV length
– byte array, IV (length is in previous int)
– 32 bit integer, key length
– byte array, Key (length is in previous int)

– rest of the data is the actual file which can be decrypted using Rijndaelmanaged and the IV and Key

Again sorry for all the trouble.

Poka BrightMinds

~ V

SecurityAffairs adds:

File Information
Name: database_dump.csv
Size: 127.5 MB
MD5: d4d781412e562b76fe0db0977cf6279b
SHA-1: 6ba671ce2a6c256c74d7db81186b0dbddd5e2185
SHA-256: d7fd791b86615fada64fe0290aecb70e5584b9ac570e7b55534555a3b468b33f
VirusTotal: https://www.virustotal.com/en/file/d7fd791b86615fada64fe0290aecb70e5584b9ac570e7b55534555a3b468b33f/analysis/1433015747/
Based on a brief analysis, the file seems non-malicious and does contain a large quantity of RSA keys.
The CSV file contains Bitcoin addresses and RSA keys.
Open at your own risk, until further analyses are performed.

Risk Based Security also took a look at the dump and writes:

RBS analysis shows the CSV contains 62,703 rows giving an idea of the systems involved, and has also been confirmed on a Bleeping Computer thread as having some keys matching bitcoins to victims by a few people.

RBS cautions:

It remains to be seen how this will play out over the coming days. Regardless, RBS recommends that infected systems be fully re-installed and re-patched to better ensure security.

Category: MalwareOf Note