A new variant of crypto-ransomware seems to be not as crypto as it allows its victims to take back their data without paying the ransom they require. The ransomware Scraper seems to have a flaw, which in practice means that about 70% of its victims can decipher their files, according to Kaspersky Labs, the Russian security firm that published a decryption mode.
Of course, it's much better not to get infected, but those who have not watched can use the utility offered by the company to not pay the 300 dollars claimed by the fraudsters.
Malware Scraper (or TorLocker) first appeared in attacks in Japan last October. The Scraper later appeared in an English version, and encrypts the victim's files requiring a ransom (300 dollars or more, depending on the rogue greed to be paid to BitCoin or Ukash) to decrypt them.
In particular, malware encrypts virtually all user files, documents, videos and audio files, images, databases, backups, virtual machine encryption keys, certificates, and other files on all hard drives and on the network. It also deletes all the points of the system restore. Scraper infects only Windows computers.
User files are encrypted using multiple AES-256 one-time keys, an encryption key for each file. Kaspersky Labs says that somewhere this process went wrong, although other experts have their own theories. In any case, mistakes have clearly been made, otherwise decryption would be impractical.
"Although Trojan-Ransom.Win32.Scraper encrypts all files with AES-256 + RSA-2048, 70 percent of cases can be decrypted due to errors in the application of encryption algorithms," Kaspersky researchers Victor Alyushin and Fedor Sinitsyn.
One thing is for sure: Scammers will find some way to fix their code and release the new update. So Kaspersky's tool probably has an expiration date.