Last week, a new strain of ransomeware called Locker was activated after having been sitting silently on infected PCs. Security firm KnowBe4 called Locker a “sleeper” campaign that, when the malware’s creator “woke it up,” encrypted the infected devices’ files and charged roughly $24 in exchange for the decryption keys.
This week, an internet user claiming to be the creator of Locker publicly apologized for the campaign and appears to have released the decryption keys for all the devices that fell victim to it, KnowBe4 reported in an alert issued today. Locker’s creator released this message in a PasteBin post:
“I am the author of the Locker ransomeware and I’m very sorry about that [sic] has happened. It was never my intention to release this. I uploaded the database to mega.co.nz containing ‘bitcoin address, public key, private key’ as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.”
The malware creator also said that an automatic decryption process for all devices that were affected by Locker will begin June 2nd. However, the post did not mention anything about providing a refund to victims who paid the 0.1 bitcoin (equal to $22.88 at the time this was posted and $24 around the time Locker was activated) required for the decryption keys since last week.
Speculating as to why the malware’s creator would suddenly put an end what could have been a successful scam, Sjouwerman suggests he or she may have become concerned about attracting unwanted attention from either law enforcement or organized crime. Many ransomeware campaigns have origins in organized criminal outfits, often in Eastern Europe, Sjouwerman says.
“What we can assume is that he is a talented coder but not an experienced cyber criminal, because a foul-up like this would never have happened with professional Eastern European organized cyber crime,” Sjouwerman says. “He may have worked as a developer for one of these gangs and decided to start his own outfit, which backfired.”