Hit by ransomware and have no backup? Most of the time, regretfully, you have no chances to recover the encrypted data beyond paying the ransom to the extortionists. The crypto algorithms employed in these attacks cannot be cracked, and the private decryption key is kept on servers inaccessible to the victims.
But let’s be positive. Quite a few ransomware happy ending cases, applicable decryption tools, and resources are covered in this post.
1. Locker Ransomware
Our first great news is that there have been cases where a ransomware author has published all of the decryption keys, so be sure to look up the problem on search engines and check for updates on forums and news headlines. Perhaps you can get around the issue without having to pay a pretty penny.
Everyone is prone to error, and so are the bad guys coining their malicious programs. For instance, security experts discovered mistakes in the code of the Scraper ransomware, originally known as TorLocker. Due to flaws in the implementation of encryption algorithms, in 70 percent of cases, files can be unlocked without giving in to the TorLocker attackers’ demands.
Is the TeslaCrypt file-encrypting malware causing issues for you? Fortunately, the Cisco team has created a decryption utility. What’s funny is that the cybercriminals seem to be overleaping themselves in a bid to intimidate their victims. Researchers at Cisco discovered that while the criminals claim to be using the asymmetric RSA-2048 standard to encrypt files, they are in fact making use of the more primitive symmetric AES (Advanced Encryption Standard) instead.
The next case on our list is ransomware that encrypts data and appends the filenames with firstname.lastname@example.org string. Thanks to Kaspersky’s RakhniDecryptor, people hit by this Trojan can breathe a sigh of relief and say: “Uhh, that was really close.”
5. Coinvault and Bitcryptor
The above-mentioned tool is not the only one released by Kaspersky Lab. If you happen to have fallen victim to Coinvault or Bitcryptor, here is the right utility for you that helps recover all locked files in a matter of minutes.
Are you a website owner whose web server got hit by the first known Linux ransomware around? There’s some good news for you too. “You must spoil before you spin well” – this proverb is appropriate for the Linux.Encoder.1 creators. They used timestamps as random numbers. Bad move, guys. Never do it again. Bitdefender created a remarkable script to aid the infected users.
One of the most notorious viruses in this category, CryptoLocker, is not bulletproof, either. For some period of time, during the most active phase of CryptoLocker circulation, its victims were able to circumvent the encryption. FireEye, in collaboration with Fox-IT, came up with a way to retrieve the private decryption key. Their decryptcryptolocker tool helped more than 5,000 individuals and small businesses in this regard. Unfortunately, the virus authors are constantly improving their code, so the decryptcryptolocker is no longer effective.
Let’s look into DecryptorMax, also called CryptInfinite. Emsisoft’s Fabian Wosar succeeded in coming up with a utility that decrypts files hijacked by this ransomware. Instructions on how to use the tool can be found here. Mr. Wosar’s application dubbed DecryptInfinite is fairly user-friendly. Most importantly, it enables bypassing the crypto routine leveraged by DecryptorMax, so that victims can reinstate their personal information without submitting the ransom.
If your file extensions changed to .RRK and .RDM all of a sudden, it looks like you’ve got the Radamant virus on board. Fortunately, the aforementioned restless researcher, Fabiаn Wosar, has produced a decryptor for everyone infected. Fabian seems to work like a robot to cover your backside from a variety of recent ransomware infections, so thumbs up.
Thankfully, CryptoTorLocker2015 is yet another poorly designed virus. Rigorous analysis based on reverse engineering the code has revealed that the decryption key appears to be incorporated into the malware executable itself. It was further found that patching this executable can trick the infection into perceiving an arbitrary password as the right one to kick off the decryption. Therefore, anyone who has been compromised can get their files recovered by dint of Nathan Scott’s decryptor.
The cases highlighted in this article cover just a fragment of numerous ransomware variants appearing each and every day. Although these and other computer viruses are becoming more advanced as time goes by, security firms are doing their best to find ways of unlocking victims’ files without having to interact with the scammers.
Do not blindly pay the ransom. In case you are infected, the first judicious thing to do is describe your problem on computer help forums like Bleeping Computer or Malwarebytes. Those guys are keeping track of the latest ransomware news and can be of great help.
For tips on how to prevent a ransomware infection, please click here.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock