Note: Someone commented on the “limited shelf-life” of ransomware and why this doesn’t hurt other victims. They deleted their comment but I’m posting my response.
You are incorrect. What is limited is the number of attacks that can be used for victims to recover their files. If you think the author is the only person that was using this attack to recover files, you are incorrect again. I’d recommend checking out book The Ransomware Hunting Team. It’s interesting book about what happens behind the scene for helping victims recover their files.
> I expect [the attackers] will change their encryption again after I publish this.
If they realize that, why publish this? Seems irresponsible at best to give a decryptor in such gory detail for what, Internet cred? It's an interesting read, and my intellectual curiosity is piqued, it just seems keeping the details to yourself would be better for the community at-large.
> Everytime I wrote something about ransomware (in my Indonesian blog), many people will ask for ransomware help. ... > Just checking if the ransomware is recoverable or not may take several hours with a lot of efforts (e.g: if the malware is obfuscated/protected). So please don’t ask me to do that for free
So charge them for it?
Anyone know why they are using timestamps instead of /dev/random?
Dont get me wrong,im glad they don't, its just kind of surprising as it seems like such a rookie mistake. Is there something i'm missing here or is it more a caseof people who know what they are doing don't chose a life of crime?