TrueCrypter Ransomware Dev Leaves Flaw in Code That Lets Victims Decrypt Files

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
AVG malware analyst Jakub Kroustek came across a new ransomware variant that appears to be under development and currently allows victims to decrypt their files just by pressing a button.

This new threat calls itself TrueCrypter, and as its name hints, is a crypto-ransomware variant that after infecting computers, searches for files with a specific extension and encrypts them using a dual AES-256 and RSA-2048 encryption mechanism, also used by many other ransomware families.

TrueCrypter targets 194 different file types, and the infection method is currently unknown. The good news is that at the time of writing, the ransomware had a detection rate of 27/56 on VirusTotal.

After infecting a user and encrypting his files, TrueCrypter then shows the ransom note in the form of a popup window.

TrueCrypter asks for payment in Bitcoin or Amazon gift cards
The ransomware author asks for 0.2 Bitcoin (~$90) or $115 in the form of Amazon gift cards. This is the second ransomware discovered this week that uses this non-conventional payment method, after Blue Coat Labs researchers previously discovered the Cyber.Police ransomware targeting Android mobile devices via a unique infection method.

Cyber.Police didn't ask for Amazon gift cards, but for iTunes gift cards. In terms of ransom payment method, using gift cards is a dangerous practice because if used incorrectly, it can leave a trace back to the malware author.

As for infected victims, the good news is that the ransomware seems to have an implementation issue. Users that want to decrypt their files should check out the bottom right corner of the popup for a button with an arrow pointing to the right.

Pressing this button opens the payment screen, where there will be another button in the bottom right that says "Pay." Mr. Kroustek discovered that pressing this button, in the current versions of TrueCrypter, starts the file decryption process.

h/t @MalwareHunterTeam


decrypt their files by pressing the "Pay" button
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Nothing new, ransom price is high but it does not provide mind games because a solution for decryption and removal will enforce immediately as possible. Always create a backup no matter what circumstances.
 
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top