In a rather bizarre turn of events, an anonymous individual has stepped forward claiming to be the developer of the ransomware known as Locker and has published the private keys needed to decrypt computers or files taken over by the malware.
“I’m very sorry about that has happened,” a pastebin signed Poka BrightMinds read Saturday. “It was never my intention to release this.”
A CSV file labeled database_dump containing bitcoin address information and RSA keys was published online, alongside information on the structure of the malware’s encrypted file system. The alleged Locker ransomware author also claims all systems infected with Locker ransomware will have their files automatically decrypted starting June 2, at midnight.
“I uploaded the database to mega.co.nz containing ‘bitcoin address, public key, private key’ as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped,” the developer added.
The published database contains some 62,000 rows of keys, most of which have not been used, according to the author.
According to Bleeping Computer forum, the developer is not lying, the published decryption keys are entirely valid and could unlock infected computers.
Locker ransomware was a trickier piece of malware, aimed at forcing victims to make financial decisions under a set time constraint. Once infected, the ransomware would begin encrypting files and demand the victim pay 0.1 Bitcoin for the decryption key, if the ransom was not met within 72 hours, the price for decryption increased to 1 Bitcoin.
Many analysts and researchers are skeptical of the ransomware developers recent change in heart, pointing out bitcoins should be returned to victims if the malware authors intentions are truly genuine. Others speculate the decryption keys may have been released by a programmer hired to create the initial Locker ransomware or that their work may have been stolen and abused, yet many don’t believe the authors innocent.
Locker is a newer strain of malware released last week, believed to be apart of a “sleeper” campign, where the malware silently infects machines until the malware author wakes it up. Once awoken, the malware would encrypt users files, demanding money be paid in full to the thief’s bitcoin address.
Last week, hundreds of Internet users fell victim to Locker ransomware within the first few days of it unexpected arrival, while a large number of sleeper-style campaigns can last months, leading many to believe it was accidentally leaked. KnowBe4 security researchers reported on the sleeper-style campaign just as it came alive.
Ransomware has become widely succsful over the past few months, even making its way up to mobile and successfully infecting cities, such as Detroit, who was ordered to pay $800,000 to gain access back to their files. Hackers have even gained their way into law enforcement agencies, infecting not one, but two separate police departments who actually paid the criminals ransom.
Ransomware campaigns have come to a screeching halt in the past, such as the CryptoLocker database leak, which led to the ransomwares demise. However, this is the first time a ransomware campign has been killed off on account of the authors remorse.