So you paid a ransom demand … and now the decryptor doesn't work
- Reference: 1726061413
- News link: https://www.theregister.co.uk/2024/09/11/ransomware_decryptor_not_working/
- Source link:
But it can get even worse, as some execs who had been infected with Hazard ransomware recently found out. After paying the ransom in exchange for a decryptor to restore the encrypted files, the decryptor did not work.
The Register did not talk to the victim organization in this case – its executives declined to be interviewed about their experience – so we don't know the specifics including sector, ransom demand, what files were locked up, etc.
[1]
Still, we assume that coming to the conclusion that the best way out of the situation was to pay the extortionists – for concerns about customers' and employees' data privacy, or to bring business operations back online, or to minimize reputational damage, or because there just weren't any backups (oops) – was a pretty painful decision in itself.
[2]
[3]
But then to pay the criminals and still not be able to recover the files? That's excruciating.
"Ransomware as a whole is extremely stressful for the victim," said Mark Lance, ransomware negotiator with GuidePoint Security. "Now in this circumstance, specifically, where they've made the payment and the decryption tools don't work," the stress levels ratcheted up several notches.
We had two that occurred, where the decryption tools didn't work, in the span of the week.
"In this, and in a lot of situations like this one, they're relying heavily on those decryption capabilities working on certain systems so that they can recover operations," Lance told The Register . "So the stress substantially increases because they're like, 'Hey, we made this large ransom payment amount with established terms that said if we paid we're going to get access.'"
The infected organization obtained an updated version of the decryptor, but that wasn't working either. A third-party company that had been involved in the ransomware negotiations called in GuidePoint, which first tried the criminals' "technical support" desk and told them that the victim needed a different version of the decryptor.
[4]
But instead of providing a tool to unlock the encrypted files, the criminals sent over a renamed version of the previous decryptor. "And at that point, they went quiet and were no longer communicating with the victim," Lance said. "I think, in this instance, it was probably over the heads of the technical support team."
Whatever the reason, the org couldn't access the locked files, and the Hazard ransomware crew disappeared. Eventually, GuidePoint was able to patch the decryptor binary and then [5]brute-force 16,777,216 possible values until it found the missing bytes – ultimately decrypting the files.
It's a good reminder, however, that paying a ransom isn't a guarantee of data recovery.
What to expect when you're decrypting
"One of our primary tasks is educating the victims on what they can expect and what is going to transpire as part of the ransomware incident," Lance explained. "We're also always establishing that regardless of anything that is agreed to, you're still dealing with criminals – these are the same people who are extorting you for money. Despite how they love to talk about how they're doing you favors, and they have a 100 percent success rate for decryption, you're dealing with cyber criminals, so you can't trust them."
The frequency of instances like this, where the decryptor doesn't work, "ebbs and flows," he added.
[6]
GuidePoint hadn't had it happen in months during the ransomware negotiations and incident responses the team had performed, "but then we had two that occurred, where the decryption tools didn't work, in the span of the week."
[7]Ransomware negotiator weighs in on the extortion payment debate with El Reg
[8]LockBit redraws negotiation tactics after affiliates fail to squeeze victims
[9]Ransomware batters critical industries, but takedowns hint at relief
[10]Six ransomware gangs behind over 50% of 2024 attacks
Some of the more "sophisticated" [11]ransomware-as-a-service groups have internal technical support teams to perform more advanced troubleshooting. Lance noted his team has seen these crews escalate the problem to the more technically advanced members of the crime gang when things break – just like a regular, non-criminal IT operation.
There's also the [12]newbies and the less sophisticated crews that lack the technical skills or even the reputational concerns – more about that in a moment – to even attempt next-level data recovery activities.
Ultimately, the reasons why decryption tools don't work vary. In the Hazard ransomware incident, the decryptor had a bug. Sometimes the gangs provide a tool for the wrong environment, also rendering it useless. Or sometimes they just decide to screw over the victims.
The latter doesn't happen too frequently – this is a [13]business for these crooks, and if they earn a reputation for not decrypting data even after receiving a ransom payment, they aren't going to continue making money off of future victims.
All of these factors should be taken into consideration by the infected businesses, and they play into the education piece that GuidePoint and other incident responders bring to victims once they've been hit.
"We have made a lot of progress in education and awareness," Lance explained. "People understand that this is not just a security or IT problem, but it is a business problem, and people are seeing the true impacts associated with ransomware."
He added that while there used to be more of a stigma attached to disclosing ransomware attacks, "we're seeing more of a trend where people are saying we are being impacted, so let's make sure that other people have the opportunity to learn and leverage what we are going through so hopefully they don't." ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuG-o59tE5Fpir5r-4bmXwAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuG-o59tE5Fpir5r-4bmXwAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuG-o59tE5Fpir5r-4bmXwAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuG-o59tE5Fpir5r-4bmXwAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.guidepointsecurity.com/blog/hazard-ransomware-a-successful-broken-encryptor-story/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuG-o59tE5Fpir5r-4bmXwAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/
[8] https://www.theregister.com/2023/11/17/lockbit_cracks_whip_on_affiliates/
[9] https://www.theregister.com/2024/08/22/critical_industrial_ransomware/
[10] https://www.theregister.com/2024/08/13/lockbit_ransomware_stats/
[11] https://www.theregister.com/2023/11/17/lockbit_cracks_whip_on_affiliates/
[12] https://www.theregister.com/2024/02/06/akira_and_8base_new_ransomware_research/
[13] https://www.theregister.com/2024/08/13/lockbit_ransomware_stats/
[14] https://whitepapers.theregister.com/
Backups!
Not sexy, not macho, but backups are the way forward. (Or, in a sense 'backwards' to a working system and happy / satisfied customers.)
Yes, they are tedious, and you hope that you will never need them, and you have to manage them, and administer them, and they cost money, but hey NOT HAVING A BUSINESS is even more expensive.
Re: Backups!
Having full backups is only the first step.
They also need to be tested regularly.
And you need to have at least yearly full restore to bare metal (to clean rootkits those guys will leave behind) drills.
Short of that, just running regular full backup will only increase you storage costs.
Re: Backups!
"at least yearly full restore to bare metal"
Just yesterday in a meeting I had a project manager try to decline having a local copy of installation media, on the grounds that "we'd never rebuild the system from scratch, only ever restore a system backup instead". My reply of "never say never" was met with "well, we'd call in the 3rd-party vendor to do the rebuild". And what if that 3rd-party vendor can't get ahold of the (by-then) obsolete version of the software?
Keep known-clean copies of everything, including OS installer (with all required files), required software installers, and copies of critical settings. Everything needed to do an offline (non-internet-connected) total rebuild of the system. Yes, it's a terrible day when you ever need to pull them out. But it's orders of magnitude worse if you need them and don't have them.
Sounds like it is time to polish your CV.
A project manager who has already decided that backups are a nuisance is a danger to the company and will make it fail at the worst possible time (as if there were any other time).
Re: Backups!
You have said what I came here to write.
The trouble with backups is that they are a complete waste of time ... until you need them. Thus the C-suit can not do them (or not do them properly) and no one will notice - until that fateful day.
I fear that the only way of ensuring that they are done (& tested) is by use of a big stick: insurance companies demand proof that they are being done; or government legislation (which will lead to cries of "nanny state"). Anyone any better ideas ?
Re: Backups!
If you're working in the financial sector, many clients will demand proof of backups, off-site storage, penetration testing, etc. Large customers won't do business without due diligence and the ability to enforce compliance with best practices and fiduciary requirements.
Re: Backups!
Fine showing they are being done on paper, but the proof is the restoring or retrival of data. I know a large company who could show the former and satisfy whatever audits, but fell over badly during Wannacry and trying to recover
And be wary of those devices with test/dev/uat naming that are in fact, real live production boxes - that just so happen to be rather critical and never backed up
Re: Backups!
Backups are just one part of a business resiliency plan. I was just in contact with an organization that got hit by ransomware, and the first thing that the attackers hit was the backup server, so recovery from backup would have meant reinstalling the backup software first, recovering the backup metadata (you DO know how to do that, right?), and then restoring from off-site media (you DO have off-site media, right?). At the point that I got involved in the problem, the technical staff had already been working for hours trying to determine the scope of the attack and were pretty desperate to get their production systems back up and online. Rather than recovering from conventional backups, we recovered their data from snapshots on their storage array, which, fortunately, were uninfected by the ransomware and were only a few hours old.
The sad fact is that there are lots of poorly-resourced IT organizations out there. Sometimes the problem is budgetary, but as part of my job role, I talk to IT staff across a swath of sectors and industries, and the technical ignorance I regularly encounter is somewhat shocking. Some people understand the scope of their shortfalls but many do not, and those are the organizations that are ripe for the picking.
Re: Backups!
The missing word here is "immutable".
A large service provider here in Sweden got owned recently. They didn't have immutable backups, so the first thing the crooks did was to encrypt the backups.
The biggest shame is that many of their customers were government authorities. None of these authorities could be bothered to check the security and recoverability of the cost saving outsourcing they had realised moving everything to "the cloud" and firing everyone who worked in their IT departments.
The only losers here are the taxpayers of course. To levy a fine against a government authority for incompetence is pointless.
Well "Hooray" for Ransomware Negotiators
And there was me thinking that perhaps encouraging these criminals to carry out their crimes by rewarding their efforts with cash might actually, I don't know, give them the idea to do it again. And again. And again.
And not a snarky journo comment in the entire article. Shame. Are we supposed to just accept that Ransomware Negotiation is a good thing? Totally normal? Totally OK?
Hope springs eternal
> pay the extortionists – for concerns about [obvious stuff]
...Except that you're placing all your hopes on the honesty of criminals!...
Once you've paid them, why would they bother decrypting your stuff? Why wouldn't they ask for even more money, later (or immediately)? Why wouldn't they refrain from gaining some free street cred by reselling all the data they have stolen from you?
Your only hope is that they are honest, trustworthy criminals, who will strive to make sure to repair any damage they've caused, and for whom your well-being is the most important thing in the world...
I think you would be better advised to avoid clicking on that mysterious-yet-oh-so-intriguing link, but that's me.
Re: Hope springs eternal
Did you read the article? It tells you why they would decrypt your stuff: any group that had a reputation of not decrypting would fimd that no ome would pay them? Why would you?
Re: Hope springs eternal
There's nothing to stop a ransomware gang having a different name per victim. They are not selling anything, so don't need branding. If they are worried that a victim won't pay an unknown gang, they can send a free decrypter that restores 10% of the files as proof of ability (a bit like a kidnapper sending a finger, but less damaging)
Re: Hope springs eternal
> any group that had a reputation of not decrypting would find that no one would pay them
Victims are caught between a rock and a hard place: Can you really chose to get trapped by a criminal with a better reputation?
I have no actual data to support this, but knowing human nature I'm pretty sure the decision to pay or not to pay is only marginally affected by such abstruse things like criminal group reputation. It mostly depends on the decision makers' character, some will give in, some won't.
"So you paid a ransom demand ... And now the decryptor doesn't work"
Hey El-Reg, I've come up with a handful of shorter, snappier sub headings for the article for you. You can have them for free:
"Good"
"Serves you right"
"Fool me once, shame on you. Fool me twice..."
Perfect, this is what we need!
This is the news story we need to see more of. When businesses figure out the decryption tools FAIL, then they will stop paying the ransom. And once the victims figure out paying the ransom is a fools errand, then they will stop paying. When ransomware no longer pays the bills....well you can see where this goes.
Every time a business chooses to pay a ransom they need to release a news article like this one, regardless of whether it is true or not.
Ha
The company I worked for paid a $50k ransom and TONS of geometry models didn’t work anymore after recovery. I only found out about a month after I had started. I sorta had developed a feeling they were a bunch of amateurs, which was rapidly becoming a strong conviction. Interestingly, there had previously been an entire engineering and design department of whom there was one drafter left. I remember part of the job description was “solve differential equations,” I asked what they had in mind, because even Newton’s reaction equation F=m.A is a differential equation. They never asked me to solve any such equations (too bad!) but they did ask me to recreate a design from a bankrupt competitor’s blueprints… which they said they bought at the bankruptcy auction. Well, for the wrongful dismissal lawsuit I found out, no, it was the other guys had bought the intellectual property assets, and not only that, had paid almost $2 million for the works. Yeah, they elected to settle out of court.
(Personally, I found a discarded Netgear NAS for $20, 3D printed some caddy shells, loaded up with HDDs, and keep it as an offline backup. Yeah, I just shut off the power between backups. I’d like to see the hacker who can hijack my unplugged NAS backup!)
Re: Ha
F=m*A is NOT a differential equation. Differential equations involve derivatives, not simple multiplication.
As for a hacker hijacking the NAS - some of them are nasty enough to infect a system but not do anything, have the malware wait 6+ months, then spring the attack. If you try to restore from your 5-month-old backups, you find they're infected too. The mostly-offline NAS is a good move, but nothing is foolproof.
Re: Ha
F=mA is equivalent to F=dp/dt (rate of change of momentum (p) over time), in fact that was Newton's original formulation (imagine a dot over the p instead of Leibnitz's d/dt though), which would make it explicitly a differential equation. "A" can of course also be expressed as dv/dt, so F=mA is at least *implicitly* a differential equation.
See also https://math.stackexchange.com/questions/2890262/how-is-f-ma-a-differential-equation-confirmation
Re: Ha
The acceleration does not depend on the force or vice versa, outside of the simple relationship of F=mA. A differential equation is something like dy/dt = y(t), where the derivative (possibly second- or third-) of the function is part of its own definition.
Re: Ha
Sounds like you know about the business.
Paying the Dane Geld
Pay the Geld, and you'll never get rid of the Dane...
What was true so many years ago, remains true to today...
"For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life."
Third worst, surely.
Second worst is finding out that your bonus is reduced because of it.
First worst is discovering that someone can prove that it's your fault.