Skip to main content

Ransomware Author Changes Mind, Lets Victims Decrypt Files

In the underground world of encrypting ransomware, in which criminals distribute malware that locks up computer files until victims pay to regain access, mercy is a rare sentiment. At least, that was the case, until the mastermind behind the Locker ransomware had a sudden change of heart and decided to publish his decryption keys.

Devices that were still being held hostage by Locker were freed yesterday (June 2), only 8 days after the crypto-ransomware was first activated May 25. The self-declared writer of Locker handed over a supposedly complete database of decryption keys, which led CryptoMonitor developer Nathan Scott to create Locker UnLocker, a tool that helps victims free their files.

MORE: Risk of Ransomware Infection Greater Than Ever

The rationale behind this never-before-seen act of seemingly willing charity is unknown at this moment, but there are theories being floated around the information-security community.

In a blog post, Stu Sjouwerman, CEO of the Florida-based security firm KnowBe4 suggests that Locker's newly-remorseful creator may have hit his financial goals (although ransomware isn't exactly a new form of crowdfunding). Sjouweman also suggested that the Locker master may be feeling the heat from another party hot on his trail, which may be law enforcement or a bigger and badder criminal element.

The official statement from the force behind Locker, who referred to himself as "Poka BrightMinds," came in an upload to the text-sharing site Pastebin:


That may sound well and good, but BrightMinds' claim of not having any intention to "release" Locker do not add up with the facts at hand. Lying dormant on computers for weeks, and possibly having infected them through a compromised Minecraft installer, Locker was activated without warning on May 25 — behavior that gained it the term "sleeper," akin to a rogue secret agent waiting for a specially timed command to strike. This style of attack requires a lot of foresight, planning and — of course — intent.

According to antivirus maker Kaspersky Lab's  Threatpost news site, Locker had a much smaller ransom demand than most ransomware — a mere 0.1 Bitcoin, which is about $30 US. That's not exactly cheap, but ransomware typically demands $500 to let go of your files.

No refunds from Locker's creator to his victims have been reported. 

Henry T. Casey is a Staff Writer at Tom’s Guide. Follow him on Twitter @henrytcasey. Follow us @tomsguide, on Facebook and on Google+.