Vendors and governments make ransomware decryptors more common
With the increase in ransomware attacks, cybersecurity companies and international law enforcement agencies are scrambling to provide the public with free decryption tools, which have become increasingly common in recent years.
Kaspersky’s Yanluowang ransomware decryptor is the latest in a long line of free tools that have been released to provide relief to victims; it is a notable example of a decryptor that was developed just a few months after the discovery of the new ransomware variant. The decryptor is also one of dozens of free decryption tools that the company offers on its site. Kaspersky is far from the only provider to offer a free ransomware decryption service on its site.
Many major cybersecurity vendors now offer some form of free ransomware decryption tools. Avast, Bitdefender, Emsisoft, Kaspersky, and McAfee all provide some type of service that allows victims to research potential remedies. It is not known exactly how many victims are saved with these ransomware decryptors; vendors and law enforcement agencies often refuse to provide information on the number of downloads of these tools.
But as the threat of ransomware has exploded in recent years, the development of valuable decryption tools has also increased. Depending on who counts, there are between 100 and 200 different free decryptors for various strains and versions of ransomware.
Ransomware decryption services usually work in two ways.
In the case of Emsisoft, the vendor partners with ID Ransomware, a free ransomware identification service. Currently, ID Ransomware has more than 1000 different ransomware strains including BlackCat, Conti and REvil which it is able to identify by ransom notes and sample encrypted files.
Emsisoft uses Ransomware ID to determine the type of ransomware infection and then directs victims to all available decryption tools. The provider also provides a webpage with a list of free decryptors that can be used once the ransomware strain is identified. Over 80 different strains are available to be decrypted, including Deadbolt and SunCrypt.
Services like Avast and Kaspersky work a little differently. For both companies, victims must first be able to identify the type of ransomware that infects them and then download a specific decryptor for that strain.
Avast provides a list of 30 different strains that it can both help identify and decrypt. For each type, Avast provides information that helps the user identify the marks of this ransomware and what it leaves on a file, then provides a downloadable decryption tool. Ladislav Zezula, senior malware analyst at Avast, explained the process used by the company for decryption.
“We need to know the encryption scheme such as the cipher used, how keys are created and managed, how attacks would decrypt user data upon payment, and the strength of the encryption scheme,” Zezula said.
Trend Micro takes a similar approach to developing its ransomware decryptors. “Most of the time, we collect information by gathering the ransomware binary, ransom note and encrypted files off the infected machine,” Trend Micro threat analyst Earle Earnshaw told SearchSecurity. “We are performing a deep analysis to acquire encryption information and other necessary information that would help in creating a decryption tool for the said ransomware.”
Trend Micro’s site offers both a downloadable decryptor as well as a service where the user can select the ransomware group that has reached them and then download the encrypted files for decryption. Trend Micro also lists the names of ransomware it is able to decrypt on its site, including Shade and WannaCry versions.
Kaspersky’s decryption site is also unique; it groups similar strains together and compiles downloadable decryptors so that the user can choose the right decryption tool for the type of ransomware he has been infected with. If the user is unsure, they can click on the “how-to guide” for each type of ransomware and then find a tool that will run a scan on their device for a specific type of ransomware.
For example, if a user thinks they may be infected with Yanluowang ransomware, they can click on the “Rannoh Decryptor” guide to confirm the ransomware strain and then download the decryption tool.
Bitdefender offers a mix of Kaspersky and Emsisoft methods on its site. Like Emsisoft, it provides a tool to identify different strains of ransomware, this can be used by downloading the tool and providing the ransom note or the encrypted file.
Once the data is provided, the tool then runs its analysis and the website tells the user how to interpret the results.
“If the ransomware family cannot be identified, the user is notified. In some cases, multiple ransomware families display similar functionality,” the instructions say. “In this case, the Bitdefender Ransomware Recognition tool displays possible ransomware families alongside a confidence indicator. Usually the first result is the most relevant and it is displayed with the highest confidence percentage (the one with the highest percentage). If the ransomware has an associated decryption tool, a link is provided in the Decryptor column.”
Bogdan Botezatu, director of threat research at Bitdefender, said he often partners with law enforcement to develop decryptors. Law enforcement may have access to encryption keys and other information through their investigations that vendors do not. Botezatu said getting access decryption keys is a big part of the partnership.
“The most important thing in ransomware is to grab the keys or grab the coding flaws in the ransomware product or a vulnerability that would allow you to bypass the encryption without knowing the key,” Botezatu said. . “When it comes to keys, we rely on law enforcement partners, or in some circumstances the developers or someone very close to the ranks of our operating circle, to release the keys. to the masses. Once we have access to these keys, we can bundle them into decryptors.”
It often takes time for security researchers and law enforcement partners to get enough information and develop a working decryptor, especially for new ransomware variants. This can leave some victims in limbo for months or even years. Botezatu discussed the process of helping users with ransomware that cannot be decrypted yet.
“Once we have [the ransom notes and files] I can direct them to an existing tool or put them on a waiting list,” Botezatu said. I keep an eye on conversations with people, and if I can’t help them on the spot because we don’t have a tool at the time, I’ll contact them later when we finally have one. »
It may take some time, but often a ransomware decryptor is eventually developed, which is why law enforcement and the infosec community recommend victims to back up their locked data even if decryption tools are immediately available after a offensive.
“It is with great pleasure that most of the time I follow up a year or two after the first contact and let them know ‘Hey, remember you wrote to us about this ransomware family? If you listened to us and made backups of the files and ransom notes, now you can download this tool, let it run overnight and tomorrow you will have all the files in place,” Botezatu said. “They usually say ‘Yay ! I was about to lose all hope and all of a sudden I have my information.’ It’s incredible. It is what keeps us alive and motivates us.
In some cases, Bitdefender will provide decryptors and blog posts for specific ransomware variants, as it did for REvil and Darkside. While Bitdefender does not track the money saved by each of its ransomware decryptors, Botezatu said the free REvil tool saved users over $800 million in unpaid ransoms.
It’s not just providers that provide access to free ransomware decryptors. The No More Ransom Project, launched in 2016, was developed by European countries with Kaspersky and McAfee to provide a home for ransomware decryptors; it is supported by international law enforcement agencies.
The site combines tools from many different cybersecurity vendors and puts them all in one place. Contributors include Avast, Bitdefender, Bleeping Computer, Cisco, Emsisoft, Tesorion, and Trend Micro. In total, the project has 17 law enforcement and cybersecurity organizations that have collaborated to provide decryption tools for over 150 strains of ransomware.
“I think united we are stronger and we can make the world a safer place for everyone,” Botezatu said.