A variant of the Crypto Locker ransomware gives its victims the impression their files are encrypted using the strong RSA-2048 encryption, but in reality the ransomware uses weak encryption and reveals the decryption key in its source code.
Security researcher “Fakebit” discovered this when he found a Crypto Locker variant that spreads using malicious email attachments. As soon as the attached file is opened the ransomware starts to encrypt files and adds the .cryptolocker extension to the encrypted files. Once it’s finished the ransomware shows a warning the files are encrypted using a RSA-2048 bit encryption key.
Users are directed to a website on the Tor network where they have to make a payment in order to get access to their files again. The warning also shows an ID of which the ransomware authors likely try to give the impression its an unique encryption key, but which is actually hard coded in the malware.
Researcher Fakebit discovered the ransomware doesn’t encrypt the files using a RSA-2028 encryption key but instead uses Tiny Encryption Algorithm (TEA). This algorithm is symmetric which means the encrypted data can be decrypted with the same key, which makes it easy to get access to the file again. Fakebit simply modified the source code and changed the encryption command to the reverse decryption command. The ransomware did its work as expected and the files were decrypted.
According to Fakebit , the author of this Crypto Locker variant ‘abuses’ the name of Crypto Locker and the limited knowhow of users and system administrators about ransomware. The Crypto Locker name by itself would convince users their files are heavily encrypted and they would need to pay in order to get their files decrypted again. In this case the files can be easily decrypted, but likely not many users will know or find out how to do it and will pay nevertheless.