Skip to content ↓ | Skip to navigation ↓

Security researchers have identified flaws in a specific ransomware encryptor that allow victims to decrypt their files without having to pay in 70% of cases.

The encryptor, known as Trojan-Ransom.Win32.Scraper, was first detected in an attack against Japanese users on October 24, 2014. Along with CTB-Locker, it marks a new generation of ransomware that are based on encryptor Trojans.

Scraper encrypts victims’ files with AES-256 with a randomly generated one-time key and demands a ransom payment of at least USD $300 to decrypt them.

However, as Kaspersky Lab security researchers Victor Alyushin and Fedor Sinitsyn explain in a blog post published on Securelist, there is a flaw in Scraper’s encryption mechanism.

“Although Trojan-Ransom.Win32.Scraper encrypts all files with AES-256 + RSA-2048, in 70%+ cases they can be decrypted because of the errors made during the implementation of cryptography algorithms,” they observe.

Kaspersky Lab does not go into much detail about the encryptor’s flaws, leading some security experts to weigh in on the matter and propose their own explanations.

Scraper, which is written in assembler, uses the Tor network to contact its “owners” and the proxy server polipo.

To avoid detection, the encryptor often comes packed with the KazyLoader and KazyRootkit protectors along with UPX.

Scraper is commonly distributed to victims via the Andromeda botnet. Criminals interested in using Scraper to their advantage can purchase the ransomware’s builder for a few Bitcoins on underground markets, such as the now defunct Evolution, which had replaced Silk Road as the top dark web drug trading site.

The builder allows criminals to modify certain aspects of the malware, including what payment forms it accepts and whether they want to block the removal of Windows recovery points.

Users who believe they may have been affected by the Scraper ransomware encryptor are encouraged to use Kaspersky Lab’s ScraperDecryptor utility, which will help them decrypt and restore their files.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Paradox FX

    I am a professional photographer. A few weeks ago my computer was attacked by CTB-LOCKER the one with the black screen and code KEY. Proven Data Recovery has been able to identify the VARIENT of the virus I have. It is – RSA-2048 CTB-Locker encryption virus.

    They want 2,600 for the decryption of 300 image files that this virus has encrypted on a SD CARD. The computer still reads close to 900mb of data on the card and I have been told by multiple sources that there is a chance my images are still there, but I have had no luck and it’s going to take me quite some time to come up with this money so in mean time I am exploring other options and learning more about computers and code than I would otherwise have never cared to.

    It angers me to no end that people can actually even do this. That they can hurt total strangers in this away. Hurt their jobs. Effect their lives just for the sake of doing so and then dangle our data in front of us so we freak out and jump. I refuse to pay this RANSOM and it is frustrating to no end that the supposed GOOD GUYS want WAY THE HELL MORE!! It’s very backwards to me and does not seem right. It is almost impossible to get a simple strait answer from people in this area and there is a lot of double talk and I have bad a couple people remote access my computer and I see them try things even I have tried.

    The files that are blocked were never on my hard drive. I didn’t even have time to make a hard copy. One moment they were find and the next they were encrypted. I have done 2 system restored and a factory restore and computer has updated protection but the files remain locked on my card.

    Is there any effective decryption for CTB-LOCKER – RSA-2048 CTB-Locker encryption virus

    What are the odds? Is it even worth saving all this money for these people? He did ID the variant. Even that came as a shock. It’s all I have to go on. Maybe, if you think you have a solution for me of course I would be willing to work put pay arrangement but I would need to see at lest SOME proof. Maybe do one or two that I can see. There are 300 on the card and I am really quite desperate for this material, or to be told convincingly and enough times that all hop is lost. I am not at that point yet.

    Thanks for your time



<!-- -->