THE ROLE OF DECRYPTION TOOL AGAINST THE RANSOMWARE THREAT
Last summer, the Virtual System Administrator (VSA) edited by KASEYA in the US has been exploited by REvil, impacting the company and many of its international clients. In this case, the FBI kept secret the decryption key for three weeks from the victims, in order to protect their operation against REvil.
What’s the purpose of a decryption tool?
As the name suggests, decryption tools are designed to decrypt encrypted data. Often based on previous ransomware analysis, those tools use decryption keys like a password to access blocked data. Today many decryption tools are proposed online, sometimes even for free, providing a quick solution in case of known ransomware.
Let’s consider a company ransomed. Following the criticality of the encrypted data, the company will have to choose between paying the ransom or, in case they are prepared, launching their recovery plan. This will imply rebuilding their infrastructure based on previous saves if they are still accessible which is never a trivial assumption. Paying the ransom represents an even less reliable solution to recover a safe and complete information system.
The decryption tool could be an alternative option to recover the data, with advantages such as being a widely available, affordable, and quick solution. The No More Ransom project launched by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee now make available 121 free ransomware decryption tools that can decrypt 151 ransomware families. More than six million ransomware victims have used those tools to recover encrypted files.
However, a decryption tool can be developed only for the ransomware containing vulnerabilities. If a ransomware is 100% correctly coded, there is no vulnerability to exploit and no decryption key to be developed. Therefore, the decryption tool is a solution only for a certain type of ransomware.
Moreover, this option is safe only when proposed by a reliable editor. Many fake decryption tools used as scamming vectors are proposed for free online. Besides, the ransomware being in constant evolution, the decryption tools have to follow the updates to not be rapidly irrelevant.
The controversy of the decryption tools publication
Decryption keys can be seen as ransomware vulnerabilities. In the same way that vulnerabilities are patched when discovered, when a decryption key is found, criminals patch their ransomware to make it more effective. The decryption key becomes irrelevant for the next victims.
Months before the Colonial Pipelines attacks, two searchers had found a decryption key to help DarkSide victims to recover and chose to not share it. But BitDefender discovered the key as well and published it online, alerting the victims, as well as the attackers. The day after this publication, DarkSide publicly informed they have corrected the problem and even address its “Special thanks to BitDefender for helping fix our issues. This will make us even better”.
This is not an isolated case. Earlier this year, a Spanish searcher found and developed a decryption tool for the Avaddon ransomware. He published it online on GitHub with an explanation about how to use its tool. As in the case of DarkSide, this information was shared publicly, available for the victims as well as the ransomware developers, who corrected the vulnerabilities.
In the KASEYA case, this decryption key was kept by the FIB because its publication would hinder an offensive cyber operation against the REvil gang. This implied letting victims such as schools and hospitals deal with the problem without sharing with them a solution, in order to reach the attackers. The operation didn’t happen immediately, as, in the same month, websites run by the REvil ransomware gang suddenly became inaccessible.
BreachQuest CTO Jake Williams called the situation a classic case of an intelligence gain/loss assessment. He pointed out that the direct financial damage was almost certainly larger than the FBI believed, but “on the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations”.
Decryption tools: a partial solution
Outside of the debate on the necessity to publish them, the crisis management interventions of the W-CERT pointed out that, even if helpful, the decryption tools are not the ultimate and perfect solution in a ransomware attack.
Indeed, decryption tools are only usable for a limited subset of existing ransomware, where encryption mechanisms were not created using state-of-the-art security. Even if the related ransomware attack falls under this case, which would mean the affected data will be able to get recovered safely, the attacked company still has to tackle the biggest issue of such an attack, meaning rebuilding at the very least the core of the information system that got compromised. Relying on decryption tools only to face the ransomware threat is far from being a complete and reliable solution.
CERT-W: FROM THE FRONT LINE
The First Responder Word
Reading Of The Month
To learn more about the evolution of cybercrime, we recommend reading the Internet Organized Crime Threat Assessment 2021 of Europol. This report focuses on changes and developments of cybercrime threats during the last 12 months.