I'm conflicted
On the one hand, this is pragmatically good. On the other, I hate seeing bad encryption implementations.
Crooks have borked the encryption behind the TorrentLocker ransomware, meaning victims can avoid paying the extortionists and unlock their data for free. TorrentLocker was regarded as the demonic spawn of CryptoLocker and CryptoWall which made killings last year by encrypting valuable data owned by individuals and …
Pretty sure he is in Oatmeal land actually.
No matter how hard I try, I can't help but re-read the sentence/question from my point of view. Thus, AC's question would become "Am I sure my not in XKCD land?" which makes no sense.
Or the object's point of view: "your" becomes "his" or "her" depending on whether h4rm0ny is male or female ;-)
>>"If you already have a backup of the data then why bother trying to decrypt stuff, just wipe and put the backup in place??"
Riding the early posts so your reply appears sooner? *tsk tsk*. Anyway, there is an answer to this. The point about the backups is that you only need part of the encrypted data in unencrypted form to unlock the rest of it. So if they encrypt directory "AllMyImportantStuff" but you have a spare copy of "mytaxsubmissions.csv" from that directory, you can use that snippet of overlap to crack the whole thing and get everything back.
So yes, if you have everything backed up, you can just delete the encrypted version. But if you don't, you get to pull one over on the Black Hats for once. ;)
>If you already have a backup of the data then why bother ...
IF you have a recent up to date backup, fair question. Many people don't. What they probably have sitting on an iPod somewhere is one of the MP3s from their music folder. The article suggests that as little as 2MB was enough to calculate the XOR key, or in layman's terms, a single song is enough to recover all their data.
I just looked at a list of file types it goes after, and mp3 doesn't seem to be on the list, but zip, rar and 7z are. So if you've happened to download something in one of those formats and left the packed file sitting around you could simply download it again to get your cleartext. Or maybe you emailed a big docx to someone recently. Chances are you can retrieve it from your mail server, or failing that ask the recipient to mail it back.
It does target a wide variety of files so I'd bet that the vast majority of people do have something on their disks in one of those formats which is duplicated elsewhere, even without making an intentional backup.
I had to clean some malware off a clients computer yesterday which had dumped text, html, and .lnk files across many directories claiming to have encrypted all of the files, and offering a website through which you could pay a ransom.
Thing is, we couldn't find *any* files which were encrypted. It looks like the whole plan was just to scare people into paying the ransom without even checking their files.
That's a bit like Irish virus of a couple of years back, but that was at least clearly a joke.
A few years back there was a version of this which tried to encrypt files but just resulted in massive data loss due to a coding error.
The latest version of C-L from what I have been told messes with the MBR and hides in the spare sector pool which rarely gets accessed but can readily rebuild itself with a small code segment.
As a side effect the infected drive sometimes fails to show up when put in a different machine and Windows install will then pick it up as unformatted resulting in total loss.
If the average user is capable of searching for the phrase"XOR two files" then he'll find the first Google hit leads to a free utility to XOR two files together. All he then has to do is XOR the file with known content and its encrypted version, to produce a key file that can be used to unlock all the other encrypted files.
Windows install will then pick it up as unformatted resulting in total loss.
I have always considered the Windows installer as the best evidence that MS *can* do security if it wants to - I have yet to come across a better way to annihilate information on a disk. It's without equal.
As a recovery mechanism, not so much.