A ransomware named AgeLocker utilizes the ‘Age’ encryption tool created by a Google-employed developer to encrypt victim’s files. After a close examination of the encrypted files by security researchers, it was discovered that a text header was added to each file that starts with the URL ‘age-encryption.org.’
The URL age-encryption.org takes you to a GitHub repository for the encryption utility called ‘Age,’ created by Filippo Valsorda, who’s in charge of cryptography and security on the Go team at Google.
According to the manual for Age, the utility was designed to be a replacement for GNU Privacy Guard to encrypt “files, backups, and streams.” The hackers behind AgeLocker seem to be using the Age command-line tool to encrypt the victim’s files instead of using encryption algorithms such as AES+RSA. Age uses the X25519, which is an ECDH curve, ChaChar20-Poly1305, and HMAC-SHA256 algorithms, all of which make for a very secure method of encrypting a file.
The AgeLocker Ransom Note is Sent via Email
Once hackers gain access to a victim’s machine, they utilize the Age encryption tool to encrypt the victim’s files. While encrypting the victim’s data, a custom extension created with the victim’s initials will be added to each encrypted filename.
In a unique twist for ransomware infections, instead of leaving a ransom note on the encrypted computer, the attackers email the ransom note to the victim. This ransom note lists the devices encrypted by the ransomware and instructions on how to get payment information.
The ransomware note reads in part:
Unfortunately a malware has infected your network and a millions of files has been encrypted using a hybrid encryption scheme. File names encrypted too. You have to pay for decryption in Bitcoins. The price depends on how fast you write us. After payment we will send you the tool (for mac and linux) that will decrypt all your files. Do not try to decrypt your data using third party software, it may cause permanent data loss.
According to victims of AgeLocker attacks, hackers ask for 7 Bitcoins, or approximately $64,500, to decrypt the files. Unfortunately for victims, it does not appear possible to recover files encrypted by AgeLocker for free at this time.