A free decryptor for Fileslocker ransomware has been developed following the leaking of the master key for the ransomware on Pastebin.
The master key is the key used by threat actors to decrypt files that have been encrypted by the ransomware. The post was created on December 29, 2018 and states that the master key, which decrypts the private key, is “applicable to V1, V2 version” and that the poster is “waiting for security personnel to develop decryption tools.”
A free decryptor for Fileslocker ransomware was developed by Michael Gillespie, the creator of MalwareHunterTeams’s ID Ransomware – A tool that can be used to determine what ransomware variant has been used to encrypt files.
Interestingly, a new Christmas-themed version of Fileslocker ransomware was released in late December which encrypted files and changed the Desktop wallpaper to a Christmassy background. Additionally, the browser on an infected device was opened and the Pastebin decryption key was displayed.
In order for the free decryptor for Fileslocker ransomware to work, a victim must upload the ransomware note from the Desktop. The ransom note contains the encrypted decryption key, which is unlocked using the newly developed master key-based decryptor.
Filerlocker ransomware is a ransomware-as-a-service offering that is usually distributed by affiliates who receive a cut of the profits from any ransom payments they generate from distributing the ransomware. What is not known is why the master key was released.
The Pastebin posting provides a clue. It ends with the phrase “The end is just the beginning,” which suggests that Fileslocker ransomware is no more and the group behind the ransomware is moving on to other projects. This is not uncommon. When ransomware variants are retired, the master keys are often released online. What the threat group moves onto next is anyone’s guess, but for now at least, any individuals who are infected with Fileslocker ransomware will be able to decrypt their files for free.