Vendors, governments make ransomware decryptors more common
Ransomware decryption tools are increasingly common today, thanks to cybersecurity vendors and law enforcement agencies working on cracking past and present ransomware threats.
With ransomware attacks on the rise, cybersecurity companies and international law enforcement agencies have been working to provide the public with free decryption tools, which have become increasingly common in recent years.
Kaspersky's Yanluowang ransomware decryptor is the most recent in a long line of free tools that have been released to provide relief for victims; it's a notable example of a decryptor that was developed just months after the new ransomware variant was discovered. The decryptor is also one of dozens of free decryption tools that the company offers on its site. Kaspersky is far from the only vendor to offer a free decryption service for ransomware on its site.
Many large cybersecurity vendors offer some form of free ransomware decryption tools today. Avast, Bitdefender, Emsisoft, Kaspersky and McAfee all provide some type of service that allows victims to search for potential remedies. It's unclear just how many victims are saved with these ransomware decryptors; vendors and law enforcement agencies often decline to provide any information about how many times these tools are downloaded.
But as the threat of ransomware has exploded in recent years, the development of valuable decryption tools has also increased. Depending on who's counting, there are anywhere from 100 to 200 different free decryptors for various ransomware strains and versions.
Decryption services
Ransomware decryption services generally function in one of two ways.
In the case of Emsisoft, the vendor partners with ID Ransomware, a free ransomware identification service. Currently, ID Ransomware has over 1,000 different ransomware strains, including BlackCat, Conti and REvil that it is able to identify by ransom notes and encrypted sample files.
Emsisoft uses ID Ransomware to determine the type of ransomware infection and then directs victims to any available decryption tools. The vendor also provides a webpage with a list of free decryptors that can be used once the ransomware strain is identified. Over 80 different strains are available to be decrypted, including Deadbolt and SunCrypt.
Services like Avast and Kaspersky's operate somewhat differently. For these two companies, the victims must first be able to identify the type of ransomware they are infected with and then download a specific decryptor for that strain.
Avast provides a list of 30 different strains that it can both help identify and decrypt. For each type, Avast provides information that helps the user identify the markings of that ransomware and what it leaves on a file and then gives a downloadable decryption tool. Ladislav Zezula, a senior malware analyst at Avast, discussed the process the company uses for decryption.
"We have to know the schema of encryption such as which cipher was used, how the keys are created and managed, how the attacks would decrypt the user data in case of payment and how solid the encryption schema is," Zezula said.
Trend Micro takes a similar approach to developing its ransomware decryptors. "Mostly, we collect information by gathering the ransomware binary, ransom note and encrypted files out of the infected machine," Earle Earnshaw, threat analyst at Trend Micro, told SearchSecurity. "We do in-depth analysis to acquire encryption information and other necessary information that would help in creating a decryptor tool for the said ransomware."
Trend Micro's site offers both a downloadable decryptor as well as a service where the user can select the ransomware group that hit them and then upload the encrypted files for decryption. Trend Micro also lists the names of the ransomware it is able to decrypt on its site, including versions of Shade and WannaCry.
Kaspersky's decryption site is also unique; it groups similar strains and compiles the downloadable decryptors so that the user can choose the right decryption tool for the type of ransomware with which they have been infected. If the user is unsure, they can click on the "how-to guide" for each ransomware type and then find a tool that will run a scan on their device for a specific type of ransomware.
For example, if a user thinks they may be infected by Yanluowang ransomware, they can click on the "Rannoh Decryptor" guide to confirm the strain of ransomware and then download the decryption tool.
Bitdefender offers a mix of both Kaspersky and Emsisoft's methods on its site. Like Emsisoft, it provides a tool to identify different strains of ransomware, this can be used by downloading the tool and providing the ransom note or the encrypted file.
Once given the data, the tool then runs its analysis, and the website tells the user how to interpret the findings.
"If the ransomware family cannot be identified, the user is informed about this. In some cases, multiple families of ransomware display similar features," the instructions said. "In this case, the Bitdefender Ransomware Recognition tool displays the possible ransomware families next to an indicator of confidence. Usually, the first result is the most relevant and it is displayed with the highest confidence percentage (the one with the highest percentage). If the ransomware has an associated Decryption Tool, a link is provided in the Decryptor column."
Public-private partnerships
Bogdan Botezatu, Bitdefender's director of threat research, said that he'll often partner with law enforcement agencies to develop decryptors. Law enforcement may have access to encryption keys and other information through their investigations that vendors do not. Botezatu said that gaining access decryption keys is a large part of the partnership.
"The most important thing in ransomware is getting a hold of keys or getting a hold of coding flaws in the ransomware product or a vulnerability that would allow you to bypass encryption without knowing the key," Botezatu said. "When it comes to keys, we rely on law enforcement partners, or in some circumstances the developers or somebody very intimate with the ranks of our operating circle, to release the keys to the masses. Once we get access to these keys, we can bundle them into decryptors."
It often takes time for security researchers and law enforcement partners to obtain enough information and develop a working decryptor, especially for newer ransomware variants. That can leave some victims in limbo for months and even years. Botezatu discussed the process of helping users with ransomware that can't yet be decrypted.
"Once we have [the ransom notes and files] I can point them into the direction of an existing tool or put them on a waiting list," Botezatu said." I keep tabs on conversations with people, and if I can't help them right on the spot because we don't have a tool at that point, I will contact them later when we finally have one."
It can take a while, but often a ransomware decryptor is eventually developed, which is why both law enforcement and the infosec community recommend that victims save their locked data even if decryption tools are immediately available after an attack.
"It's with great pleasure that most of the time I follow up one year or two years after the first contact and let them know 'Hey, remember you wrote us about this family of ransomware? If you listened to us and took backups of the affected files and ransom notes, you can now download this tool, let it run overnight and tomorrow you'll have all the files in place,'" Botezatu said. "They usually say 'Yay! I was on the verge of losing all hope and all of a sudden, I have my information.' It's amazing. That's what keeps us alive and motivated."
In some cases, Bitdefender will provide decryptors and blog posts for specific ransomware variants, like it did for REvil and Darkside. While Bitdefender doesn't track the money saved by each of its ransomware decryptors, Botezatu did say that the free REvil tool saved users over $800 million in unpaid ransoms.
It is not just vendors that provide access to free ransomware decryptors. The No More Ransom project, which launched in 2016, was developed by European countries along with Kaspersky and McAfee to provide a home for ransomware decryptors; it is backed by international law enforcement agencies.
The site combines the tools of many different cybersecurity vendors and puts them all in one place. Contributors include Avast, Bitdefender, Bleeping Computer, Cisco, Emsisoft, Tesorion, and Trend Micro. Altogether the project has 17 organizations in law enforcement and the cybersecurity field that have collaborated to provide decryption tools for over 150 ransomware strains.
"I think that united we're standing stronger, and we can make the world a safer place for everybody," Botezatu said.