Skip to content ↓ | Skip to navigation ↓

There’s so much doom and gloom in the security industry because of ransomware. And yet, occasional success stories inspire us to fight back.

Last time we wrote about ten ransomware recovery cases. New ransom Trojan variants have surfaced ever since, including the one dubbed HydraCrypt. The operators of TeslaCrypt campaign pulled off defiant attacks against Lincolnshire County Council and WordPress websites.

In the meanwhile, there’s some light at the end of the tunnel. We decided to continue covering positive news as we believe this is important.

Let’s start with several recent decryption cases:

  • Turkish programmer Utku Sen managed to break the encryption of B, a threat devised using his open-source application. In August 2015, Utku Sen published the source code of Hidden Tear, a ransomware program tailored strictly for educational purposes. Since Sen foresaw the probability of scammers abusing his proof-of-concept, he deliberately built a vulnerability into Hidden Tear, so that infected users could recover their data. The researcher says the infection has a backdoor that can be exploited to recover encrypted files.
  • FabianWosar has cracked the LeChiffre ransomware. This strain compromised computer networks of several Indian banks, as well as a pharma company, making the victims suffer million-dollar losses. Thankfully, a decrypter is now at the affected users’ disposal. Fabian Wosar from Emsisoft is the one to thank for the solution. According to the researcher, this ransomware was designed by rookies, whom Wosar called: “The scourge of all ransomware authors.” It took him less than a day to crack the crypto. Anyone infected can download the recovery app for LeChiffre version 2.6 from Emsisoft’s official website. If you need assistance running the tool, you can ask for help in the dedicated Bleeping Computer support topic. Mr. Wosar monitors the thread and gladly responds to questions.
  • Shortcomings in the implementation of encryption by TeslaCrypt ransomware allows victims to decode files appended with the following extensions: .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc and .vvv. The flaw is in the way encryption keys are handled rather than the crypto algorithm itself. A member of the Bleeping Computer came up with a technique to take advantage of TeslaCrypt All it takes to decrypt your files is download the TeslaDecoder tool and follow simple directions. The solution is user-friendly therefore victims needn’t be tech-savvy to recover their decryption key. If some issues occur along the way, users can feel free to post the details in the TeslaDecoder Support Topic.
  • NanoLocker ransomware can be cracked, as well. A Canadian security analyst (@cyberclues) has discovered a vulnerability in its code and designed a decrypter. The encryption routine is CPU-intensive, so the computer may appreciably slow down during this process. In case the user notices this performance deterioration and reboots the PC or enters sleep mode, the Trojan discontinues the encryption job and leaves the configuration file in its current state. This config file is where the AES encryption key is stored. The researcher tailored a program that automatically locates this file and retrieves the key to decode the frozen data. The source code for the decrypter is available on GitHub and Google Drive. The expert admits, though, that capturing the necessary data prior to complete encryption may be problematic on personal computers due to a relatively small number of files and hence short time span needed for this activity. In enterprise networks, this task isn’t as challenging because it takes NanoLocker much more time to encode a larger array of files.
  • DMA Locker isn’t foolproof either. This new ransomware was first detected in Poland. Malwarebytes experts analyzed several DMA Locker samples and determined that it was poorly designed, most likely by an unprofessional beginner. The researchers have found that this ransomware relies on a custom cryptographic algorithm, although the warning screen says it’s using a mix of AES-256 and RSA-2048. Furthermore, it was easy for the security examiners to reverse engineer the code. A major flaw is that DMA Locker encryption key is incorporated into one of its binaries. Another fail is that the decrypter is built into the ransomware proper.
  • Researchers at Cylance managed to retrieve the data encryption password for an Anti-Child Porn Spam Protection ransomware (a variant of ACCDFISA plague). The ransomware transformed every file into an RAR archive. The filename contained recovery instructions. Whereas it appeared impracticable to find weaknesses in the crypto implementation, Cylance experts took efforts to crack the password instead. Attacking the pseudo-random number generator, eventually proved to be successful as the researchers found the password in several days.

Discretion on researcher’s end is extremely important when they find a vulnerability in ransomware. This type of information shouldn’t be publicly disclosed, so that the flaws can be used to help victims recover their files before cyber criminals patch them.

Here’s some more bad news for ransomware creators:

  • The propagation of ransomware pushes security firms to address it. Whereas signature-based anti-viruses have been playing a catch-up game with these threats, vendors have started to adopt more sophisticated approaches. Behavioral detection is a good example. Emsisoft published a video of how their product detects 20 ransomware samples. Other companies are delivering anti-ransomware features, as well. Malwarebytes Anti-Ransomware, for instance, is currently in beta.
  • Criminals are trying to extort ransoms beyond file encryption scenarios only. Several popular premium email providers were hit by severe DDoS attacks accompanied by ransom demands to make the attacks stop. A lot of the targeted companies refused to pay. Public statements of this sort will inspire more people to refrain from paying and make everyone realize it’s not a good idea to give into fraudsters’ demands.
  • Another promising fact is that not all ransomware is dangerous. A lot of these infections are primitive browser lockers. These are just specific web pages that cannot be closed. They may look like a genuine FBI warning that requires payment. Never pay in these circumstances. You can simply close your browser by terminating its process using Task Manager. Unfortunately, plenty of people are not familiar with these simplistic methods. Raising security awareness should help.
  • The Online Trust Alliance (OTA) published its 2016 Data Protection and Breach Readiness Guide. According to this document, 91 percent of data breaches in 2015 were easy to thwart. A lot of these breaches took place due to human errors or lack of security controls in organizations. Timely software patches and basic employee training could have prevented these predicaments.

The FBI may advise paying the ransom. No one can forbid people to pay. A much more rational technique is spreading the word about data backups and winning the war this way. The more noise we make about ransomware, the more people will learn the prevention tactics and understand how easy it is to stay safe.

In most cases, it’s as simple as backing up your files and being suspicious about email attachments. Ironically enough, it’s the ransomware that encourages us to make backups.

The underground ransomware business should quickly fade away as fewer people will be paying up.

david balabanAbout the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock