A previously unknown form of ransomware has been identified which encrypts a victim’s files by making use of an encryption tool that was devised by a Google employee.

The new ransomware, dubbed “AgeLocker” after the “Age” encryption tool it utilises, was reported in an online IT forum by a security consultant after it was deployed in an attack against a client of theirs.

Investigation into AgeLocker

After in-depth examination of the encrypted data, investigators found that a text header had been added onto every one of the files that began with the web address “age-encryption.org.”

The age-encryption.org URL directs users to a dedicated GitHub repository for the encryption utility entitled “Age” that was developed by Google’s Go Security lead and cryptographer Filippo Valsorda.

The utility was created by Valsorda as a substitute for GPG when encrypting streams, backups, and files, according to Age’s manual, adding:

“This is a design for a simple file encryption CLI tool, Go library, and format.”

It also suggests that the utility’s name is an acronym that stands for Actually Good Encryption.

Rather than designing ransomware that makes use of commonly employed encryption algorithms like AEs+RSA, the malicious operators behind AgeLocker seem to be utilising the command line tool Age to encrypt a target’s files.

An expert on ransomware decryption, Michael Gillespie, explained that Age uses a selection of algorithms that make it a highly secure way of encrypting files, including the ECDH curve X25519, HMAC-SHA256 and ChXhar20-Poly1305.

A new way to request a ransom

Exactly how the ransomware operators are acquiring access to their targets’ computers has not yet been identified, but once they infiltrate the system, they use the Age utility to encrypt their chosen victim’s files.

During the data encryption, a custom-built extension is created appending every encrypted file name with the target’s initials. In a historic break from the more traditional method of making ransom demands via notes left on infected systems, the AgeLocker operators directly emailed their request instead.

Following encryption of the company’s devices in the reported incident, they soon received a message via email. The subject line listed the company name followed by the phrase “security audit.”

After a brief greeting, the emailed ransom note provided a list of the company’s devices that had been encrypted by the AgeLocker ransomware. The note explains that millions of files and file names have been encrypted utilising a “hybrid encryption scheme.”

It then discusses payment terms for the decryption, which is requested in Bitcoin. The exact sum of requested is not listed, but the company has confirmed it equates to around $64,500.

The note goes on to say that following payment, a decryption tool will be sent. As a guarantee, the ransomware operators state the company can send it five files which it will decrypt for free, but stipulates that they must not include important information like backups or databases.

The operators also warn that no attempt should be made to decrypt the files using third-party solutions, or else encrypted data may be permanently lost.