The downside of ‘debugging’ ransomware
The decision to release a ransomware decryptor involves a delicate balancing act between helping victims recover their data and alerting criminals to errors in their code
Ransomware – the security scourge of the modern, digital world – just keeps getting more dangerous. We’re educating users about what to do, but it’s hard to stay ahead of killer encryption sprinkled liberally around layers of obfuscated digital tracks that hide the bad guys’ deeds and your files. Meanwhile, the toll buries businesses and ties the hands of legislators begging for a solution. But if we crack open the keys to ransomware, don’t we just help the bad guys make it better next time?
Earlier this month at a digital workshop in the heart of the Czech Republic, developers of ransomware decryptors shared with attendees how they cracked some of the code and got users’ data back. Through careful analysis, they would sometimes find errors in the bad guys’ implementations or operations, which allowed them to reverse the encryption process and restore the scrambled files.
But when good guys announce the tool to the public, the scammers quickly reconfigure their wares with tactics that are ‘more completely unhackable’, preventing researchers from cracking open the next batch of files. Basically, the researchers are debugging the scammers’ wares for them in a non-virtuous cycle.
So we’re not fixing it, we’re chasing it, reacting to it, painting over the damage. But any success may be transitory, as recovery from the bulk of the devastation remains impossible for the small businesses that felt they had to pay to stay in business.
Governments – for all their good intent – are also reactive. They can recommend, assist with the process of incident response, and perhaps, send their support, but that is also reactive and offers little comfort to a freshly gutted business.
So they switch to tracking finances. But the bad guys are usually good at hiding – they can afford all the good tools by paying the big bucks they just stole. And, quite frankly, they may know more than many government actors. It’s like chasing an F1 racing car with a reasonably fast horse.
Either way, researchers need to be more than beta testers for the bad guys.
You can’t just detect the cybercriminals’ tools and block them either, since they can leverage standard system tools used for day-to-day operation of your computer; they may even ship as a part of the operating system. Open-source tools are the glue that holds the whole system together, but can also be the glue that holds together the ransomware encryption process that locks up the system.
So then you’re left with determining how the criminals act. Having a hammer in your hand in a mechanic’s shop isn’t bad until you swing at a window to break it. Similarly, detecting a suspicious action can detect the beginning of an attack. But doing this at the speed of new attack variants is tough.
Here in Europe there is significant effort about convening governments from various countries to share information on ransomware trends, but the groups leading this aren’t law enforcement directly; they only can hope law enforcement jurisdictions act quickly. But that doesn’t happen at the speed of malware.
The cloud has definitely helped, since security solutions can leverage it to push out up-to-the-minute pre-attack scenarios your computer should trigger to stop an attack.
And it cuts the lifespan of effective ransomware tools and techniques down so they don’t make much money. It costs money for the bad guys to develop good ransomware, and they want a payback. If their payloads only work once or twice, that doesn’t pay. If it doesn’t pay, they’ll go do something else that does, and maybe organizations can go back to business.
Back up the drive
One pro tip from the conference: Back up your encrypted data if you’re hit by ransomware. In case a decryptor is eventually released, you might still have a chance of restoring lost files in the future. Not that it helps you right now.
The best time to back up things is, of course, when you are not being extorted by ransomware, but it is never too late to begin. Although it is over a decade old at this point, WeLiveSecurity’s guide to Backup Basics still provides practical information provides practical information about how to approach the problem and develop a solution that works for your home or small business.
ESET versus ransomware
In case you are wondering where ESET stands on creating ransomware decryptors, we take a mixed approach: we do want to protect people against ransomware (which we often classify as Diskcoder or Filecoder malware), as well as provide ways to recover data. At the same time, we do not wish to alert the criminal gangs behind this scourge that we have done the technological equivalent of opening their locked doors with a set of digital lockpicks.
In some instances, a decryptor might be published and be made available to the public through ESET Knowledgebase article Stand-alone malware removal tools. At the time of publishing, we have about a half-dozen decryption tools currently available there. Other such tools are available on the website of the No More Ransom initiative, which ESET has been an associate partner of since 2018. In other cases, though, we do write decryptors but do not publicly post information about them.
The criteria for whether to announce that a decryptor has been released vary with each piece of ransomware. These decisions are based on a careful assessment of many factors, such as how prolific the ransomware is, its severity, how quickly the ransomware authors patch coding bugs and flaws in their own software, and so forth. Even when parties contact ESET to receive assistance with decrypting their data, specific information about how the decryption was performed is not publicly shared publicly in order to allow decryption to work for as long as possible. We feel that this provides the best tradeoff between protecting customers against ransomware while still being able to assist with decrypting ransomwared files for the longest amount of time possible. Once criminals are aware there are holes in their encryption, they might fix them, and it might be a long time before other flaws can be found that allow data to be restored without its owner being extorted.
Dealing with ransomware, both its operators and the ransomware code itself, is a tricky process, and it is often a game of chess that can take weeks or months or even years to play out as the good guys battle the bad guys. ESET’s take on this is to try to do the maximum amount of good, which means helping as many people as possible for the longest time possible. It also means that if you do come across a ransomware-affected system, don’t give up hope, there is still an outside chance that ESET may be able to assist you in getting your data back.
Ransomware may be a problem that is not going away anytime soon, but ESET stands ready to protect you against it. Preventing it in the first place is still far better than curing it, though.