'No More Ransom' Portal Offers Respite From RansomwarePolice, Security Firms Debut Decryptor for Shade Ransomware, Promise More
Step away from the ransom payment.
There's no law in the United States and Europe that prohibits paying ransoms. But law enforcement and security experts say that beyond the legal considerations, paying ransoms funds cybercriminals, enabling them to build stronger strains of ransomware, sell it to more affiliates - many developers take a cut of all proceeds - and continue their attacks (see Please Don't Pay Ransoms, FBI Urges).
Now, the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Center, as well as two cybersecurity firms - Kaspersky Lab and Intel Security - have announced NoMoreRansom.org to offer a one-stop shop for battling ransomware infections.
The group also announced that it's successfully taken down the malicious infrastructure used by the gang behind the Shade ransomware, enabling it to develop and release a free decryption tool for 160,000 victims.
"When we've done takedowns in the past, remediation has always been the difficult part, because you've got to get people to download tools and so forth," says Raj Samani, Intel Security's CTO for Europe, the Middle East and Africa (see Ransomware Grows More Targeted).
While the Shade disruption is significant, the new portal signals how future battles must be waged, says Samani, who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency. "We've done this operation, but actually the bigger story now is ... [that] we're committed towards a longer-term solution around ... not having to let people decide whether to pay the ransom or not," he says. "We've now given you a third option."
The No More Ransom site offers four decryption tools that decrypt a range of ransomware variants, including CoinVault, Cryptokluchen, Rannoh and TeslaCrypt. It also includes ShadeDecryptor, a new decryptor for Shade malware, which sometimes appends ".breaking_bad" to the end of encrypted filenames.
The No More Ransom portal also allows ransomware victims to upload samples of encrypted files that the site will scan to see if the ransomware variant can be decrypted using available tools. The site also gives ransomware victims in Europe and the United States a way to report infections to authorities to help them to better trace and battle ransomware-using crooks.
The organizations behind the No More Ransoms portal say it's a noncommercial effort that other public or private organizations are welcome to join.
Fueled by easy pickings - and profits - many cybercriminals have turned to ransomware, backed by ransom demands payable only in bitcoin to make related money flows tougher for authorities to trace. Kaspersky Lab estimates that the number of PC users attacked by ransomware increased more than five-fold, from 131,000 victims between April 2014 and March 2015, to 718,000 victims between April 2015 and March 2016.
Shade first appeared in late 2014 and quickly became one of the three most widespread crypto-locking programs targeting Russians, according to Kaspersky Lab. The company says it's tracked at least 27,000 Shade infections, primarily in Russia, Ukraine and Germany, but with some also in France and the United States, among other countries. On the Bleeping Computer forums, some users reported that the Shade gang demanded 0.9 bitcoins (currently worth $590) to furnish a decryption key for a locked PC, although some users reported that they were able to negotiate the ransom down to 0.6 bitcoins ($395).
Unlocking the Future
While the availability of free decryption tools for more strains of ransomware is good news, it's unlikely that security experts would ever be able to offer a one-stop shop that's able to unlock every form of malware.
Meanwhile, researchers continue to search for new ways to battle ransomware, for example, by watching for the telltale signs that a massive number of files are being accessed, encrypted and the original copies deleted (see Researchers Unleash Ransomware Annihilation).
At least for now, however, there's no easy technological fix. An unclassified intelligence memo that Donald J. Good, the deputy assistant director of the U.S. Federal Bureau of Investigation's Cyber Division, sent in February to Sen. Ron Wyden, D-Ore., emphasized the technology-related challenges of defeating ransomware.
"Most sophisticated ransomware variants use 2048-bit RSA cryptographic key pairs to encrypt victim files. The public key is stored in the registry of the victim computer along with the version number of the malware and a complete list of all encrypted files," Good wrote, meaning each infection - and key - is unique to each individually encrypted PC.
"Cybercriminal actors hold the private key," Good says. "When a victim pays the ransom, the actors provide the private key so the files can be decrypted. Without obtaining the private key used by the actors, it is virtually impossible to recover the encrypted files. Since the most sophisticated ransomware variants are practically impossible to defeat without obtaining the actor's own private decryption keys, the FBI has focused on performing significant outreach to educate the public on ransomware and the importance of keeping backups and maintaining a level of operational security when using a computer."
Capitalizing on Ransomware Mistakes
Occasionally, ransomware developers commit coding errors that make it possible for security experts to crack the underlying crypto. That happened, for example, with Teslacrypt, earlier variants of CryptoWall and more recently the horror-themed Jigsaw - and security experts have released free decryption tools and advice. CryptoLocker, meanwhile, disappeared after an international law enforcement operation shuttered the Gameover Zeus botnet.
But technology alone has not been able to block or undo the damage caused by every ransomware variant. That's why combatting ransomware "requires a joint effort" from police, prosecutors and Europol, as well as information security firms, says Wilbert Paulissen, director of the National Criminal Investigation Division for the Dutch national police, in a statement. "Together we will do everything in our power to disturb criminals' money making schemes and return files to their rightful owners without the latter having to pay loads of money," he says.