The downside of ‘debugging’ ransomware | WeLiveSecurity

The
decision
to
release
a
ransomware
decryptor
involves
a
delicate
balancing
act
between
helping
victims
recover
their
data
and
alerting
criminals
to
errors
in
their
code

Ransomware

the
security

The downside of ‘debugging’ ransomware | WeLiveSecurity

The
decision
to
release
a
ransomware
decryptor
involves
a
delicate
balancing
act
between
helping
victims
recover
their
data
and
alerting
criminals
to
errors
in
their
code

Ransomware

the
security
scourge
of
the
modern,
digital
world

just
keeps
getting
more
dangerous.
We’re

educating
users
about
what
to
do
,
but
it’s
hard
to
stay
ahead
of
killer
encryption
sprinkled
liberally
around
layers
of
obfuscated
digital
tracks
that
hide
the
bad
guys’
deeds
and
your
files.
Meanwhile,
the
toll
buries
businesses
and
ties
the
hands
of
legislators
begging
for
a
solution.
But
if
we
crack
open
the
keys
to
ransomware,
don’t
we
just
help
the
bad
guys
make
it
better
next
time?

Earlier
this
month
at
a
digital

workshop

in
the
heart
of
the
Czech
Republic,
developers
of
ransomware
decryptors
shared
with
attendees
how
they
cracked
some
of
the
code
and
got
users’
data
back.
Through
careful
analysis,
they
would
sometimes
find
errors
in
the
bad
guys’
implementations
or
operations,
which
allowed
them
to
reverse
the
encryption
process
and
restore
the
scrambled
files.

But
when
good
guys
announce
the
tool
to
the
public,
the
scammers
quickly
reconfigure
their
wares
with
tactics
that
are
‘more
completely
unhackable’,
preventing
researchers
from
cracking
open
the
next
batch
of
files.
Basically,
the
researchers
are
debugging
the
scammers’
wares
for
them
in
a
non-virtuous
cycle.

So
we’re
not
fixing
it,
we’re
chasing
it,
reacting
to
it,
painting
over
the
damage.
But
any
success
may
be
transitory,
as
recovery
from
the
bulk
of
the
devastation
remains
impossible
for
the
small
businesses
that
felt
they

had
to
pay
to
stay
in
business
.

Governments

for
all
their
good
intent

are
also
reactive.
They
can
recommend,
assist
with
the
process
of
incident
response,
and
perhaps,
send
their
support,
but
that
is
also
reactive
and
offers
little
comfort
to
a
freshly
gutted
business.

So
they
switch
to

tracking
finances
.
But
the
bad
guys
are
usually
good
at
hiding

they
can
afford
all
the
good
tools
by
paying
the
big
bucks
they
just
stole.
And,
quite
frankly,
they
may
know
more
than
many
government
actors.
It’s
like
chasing
an
F1
racing
car
with
a
reasonably
fast
horse.

Either
way,
researchers
need
to
be
more
than
beta
testers
for
the
bad
guys.


You
can’t
just
detect
the
cybercriminals’
tools
and
block
them
either,
since
they
can
leverage
standard
system
tools
used
for
day-to-day
operation
of
your
computer;
they
may
even
ship
as
a
part
of
the
operating
system.
Open-source
tools
are
the
glue
that
holds
the
whole
system
together,
but
can
also
be
the
glue
that
holds
together
the
ransomware
encryption
process
that
locks
up
the
system.

So
then
you’re
left
with
determining
how
the
criminals
act.
Having
a
hammer
in
your
hand
in
a
mechanic’s
shop
isn’t
bad
until
you
swing
at
a
window
to
break
it.
Similarly,
detecting
a
suspicious
action
can
detect
the
beginning
of
an
attack.
But
doing
this
at
the
speed
of
new
attack
variants
is
tough.

Here
in
Europe
there
is
significant
effort
about
convening
governments
from
various
countries
to
share
information
on
ransomware
trends,
but
the
groups
leading
this
aren’t
law
enforcement
directly;
they
only
can
hope
law
enforcement
jurisdictions
act
quickly.
But
that
doesn’t
happen
at
the
speed
of
malware.

The
cloud
has
definitely
helped,
since
security
solutions
can
leverage
it
to
push
out
up-to-the-minute
pre-attack
scenarios
your
computer
should
trigger
to
stop
an
attack.

And
it
cuts
the
lifespan
of
effective
ransomware
tools
and
techniques
down
so
they
don’t
make
much
money.
It
costs
money
for
the
bad
guys
to
develop
good
ransomware,
and
they
want
a
payback.
If
their
payloads
only
work
once
or
twice,
that
doesn’t
pay.
If
it
doesn’t
pay,
they’ll
go
do
something
else
that
does,
and
maybe
organizations
can
go
back
to
business.

Back
up
the
drive

One
pro
tip
from
the
conference:
Back
up
your
encrypted
data
if
you’re
hit
by
ransomware.
In
case
a
decryptor
is
eventually
released,
you
might
still
have
a
chance
of
restoring
lost
files
in
the
future.
Not
that
it
helps
you
right
now.

The
best
time
to
back
up
things
is,
of
course,
when
you
are
not
being
extorted
by
ransomware,
but
it
is
never
too
late
to
begin.
Although
it
is
over
a
decade
old
at
this
point,
WeLiveSecurity’s
guide
to

Backup
Basics

still
provides
practical
information
provides
practical
information
about
how
to
approach
the
problem
and
develop
a
solution
that
works
for
your
home
or
small
business.

ESET
versus
ransomware

In
case
you
are
wondering
where
ESET
stands
on
creating
ransomware
decryptors,
we
take
a
mixed
approach:
we
do
want
to
protect
people
against
ransomware
(which
we
often
classify
as
Diskcoder
or
Filecoder
malware),
as
well
as
provide
ways
to
recover
data.
At
the
same
time,
we
do
not
wish
to
alert
the
criminal
gangs
behind
this
scourge
that
we
have
done
the
technological
equivalent
of
opening
their
locked
doors
with
a
set
of
digital
lockpicks.

In
some
instances,
a
decryptor
might
be
published
and
be
made
available
to
the
public
through
ESET
Knowledgebase
article

Stand-alone
malware
removal
tools
.
At
the
time
of
publishing,
we
have
about
a
half-dozen
decryption
tools
currently
available
there.
Other
such
tools
are
available
on
the

website
of
the
No
More
Ransom
initiative
,
which
ESET
has
been
an
associate
partner
of
since
2018.
In
other
cases,
though,
we
do
write
decryptors
but
do
not
publicly
post
information
about
them.

The
criteria
for
whether
to
announce
that
a
decryptor
has
been
released
vary
with
each
piece
of
ransomware.
These
decisions
are
based
on
a
careful
assessment
of
many
factors,
such
as
how
prolific
the
ransomware
is,
its
severity,
how
quickly
the
ransomware
authors
patch
coding
bugs
and
flaws
in
their
own
software,
and
so
forth.
Even
when
parties
contact
ESET
to
receive
assistance
with
decrypting
their
data,
specific
information
about
how
the
decryption
was
performed
is
not
publicly
shared
publicly
in
order
to
allow
decryption
to
work
for
as
long
as
possible.
We
feel
that
this
provides
the
best
tradeoff
between
protecting
customers
against
ransomware
while
still
being
able
to
assist
with
decrypting
ransomwared
files
for
the
longest
amount
of
time
possible.
Once
criminals
are
aware
there
are
holes
in
their
encryption,
they
might
fix
them,
and
it
might
be
a
long
time
before
other
flaws
can
be
found
that
allow
data
to
be
restored
without
its
owner
being
extorted.

Dealing
with
ransomware,
both
its
operators
and
the
ransomware
code
itself,
is
a
tricky
process,
and
it
is
often
a
game
of
chess
that
can
take
weeks
or
months
or
even
years
to
play
out
as
the
good
guys
battle
the
bad
guys.
ESET’s
take
on
this
is
to
try
to
do
the
maximum
amount
of
good,
which
means
helping
as
many
people
as
possible
for
the
longest
time
possible.
It
also
means
that
if
you
do
come
across
a
ransomware-affected
system,
don’t
give
up
hope,
there
is
still
an
outside
chance
that
ESET
may
be
able
to
assist
you
in
getting
your
data
back.

Ransomware
may
be
a
problem
that
is
not
going
away
anytime
soon,
but
ESET
stands
ready
to
protect
you
against
it.
Preventing
it
in
the
first
place
is
still
far
better
than
curing
it,
though.

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.