Recently, there has been more and more cases where a crook proves that the ransomware business is not for everyone. This is the exact case with the new NoobCrypt Ransomware variant, uncovered by the security expert Jakub Kroustek.
Apparently, NoobCrypt`s author uses the same encryption key for each victim, which came as a gift for Kroustek. It didn’t take him long to retrieve the decryption password and post in on Twitter, allowing victims to unlock their files for free.
Taunts, displayed in the source code of the executable, gave the ransomware its name – NoobCrypt. When a victim enters random passwords in the key field trying to recover their data, the ransomware starts mocking them. For instance, if a victim types “123” in the key field,
NoobCrypt would show an alert taunting them with the following message:
“123 is not the code! You idiot. GO PAY IF U WANT UR PC BACK. NOOB HAH“.
However, as it turned out, the NoobCrypt author doesn’t have much to gloat about. Now, thanks to Kroustek, a list of known decryption keys is available and NoobCrypt victims can use it for free.
When NoobCrypt attacks a victim, a ransom lock screen will be displayed. The screen states “Your personal files are encrypted” and that it was “Made in R0MANIA”. The victims are told to complete the payment ($50 in Bitcoins) within 48 hours to the Bitcoin address shown and that in every 2 hours files would be deleted.
As each release of NoobCrypt has a specific Bitcoin address and a different ransom sum, Kroustek was able to create a list of passwords and a way to determine exactly which version of NoobCrypt a victim has been infected with. Here are all three decryption keys available:
- Ransom amount $299, Key: ZdZ8EcvP95ki6NWR2j
- Ransom amount $100, Key: ZdZ8EcvP95ki6NWR2j
- Ransom amount $50, Key: IsakhBVLIKAHg
Once a victim has identified which decryption tool they need, they should enter in into the key field shown on the ransom screen and click the “Check” button. If the key is correct the following message will be displayed:
“Key correct. Decrypting! Wait.”
