Following the leaking of the master key for the FilesLocker ransomware on Pastebin, a decryptor has been made available to allow a victim’s files to be recovered for free.
The master key is the key used by those behind a ransomware campaign to decrypt files that have been encrypted by the ransomware. FilesLocker is a ransomware distributed as a Ransomware as a Service, or RaaS; that is to say, even novice cybercrinimals can sign up to launch ransomware campaigns and earn commission for use of this ransomware. FilesLocker targets victims in both English and Chinese speaking areas.
The post containing the master key was created on December 29, 2018 and states that the master key, which decrypts the private key, is “applicable to V1, V2 version” and that the poster is “waiting for security personnel to develop decryption tools.”
In response to the master key being made accessible, Michael Gillespie, part of MalwareHunterTeam, created a file decryptor for FilesLocker ransomware. Mr Gillespie also created MalwareHunterTeam’s ID Ransomware, a tool that can be used to determine what ransomware variant has been used to encrypt files.
Interestingly, a new Christmas-themed version of FilesLocker ransomware was released in late December which encrypted files and changed the Desktop wallpaper to a Christmas-themed background.It was on this version of FilesLocker that the master key could be accessed; when a browser on an infected device was opened and the Pastebin decryption key was displayed.
In order for the free decryptor for FilesLocker ransomware to work, a victim must upload the ransomware note from the Desktop. The ransom note contains the encrypted decryption key, which is unlocked using the newly developed master key-based decryptor.
It is not yet known why the key was released. However, the Pastebin post provides may provide some insight into the motivation behind the move. It ends with the phrase “The end is just the beginning,” which suggests that Fileslocker ransomware is no more and the group behind the ransomware is moving on to other projects.
This type of move is not uncommon. When ransomware variants are retired, the master keys are often released online. While it is impossible to tell what the threat groups’ next move will be, it is at least reassuring for now that any individuals who are infected with FilesLocker ransomware will be able to decrypt their files for free.
If you have been infected with FilesLocker ransomware, you can find out how to decrypt files free of charge on this link.