If you can't identify the ransomware at all, there's a chance it could be fake -- a low-rent social engineering attack you can escape from easily.
3. Look for a decryption tool
When you know the exact strain of ransomware you're dealing with, you can search for possible ways to treat the infection. A handful of public tools are available, but be warned they may not work on the specific ransomware version that nailed you.
BitDefender offers a Crypto-Ransomware Vaccine to clean up CTB-Locker, Locky, TeslaCrypt, and Petya ransomware infections. Kaspersky Lab recently released a tool to unlock files encrypted by CryptXXX. There's also a RakhniDecryptor utility for restoring files infected by Rakhni and its assorted variants (identifiable by the file extension).
The attackers may have made mistakes in the encryption or a different part of the code, allowing security researchers to reverse-engineer the malware and crack the encryption. For example, Kaspersky Lab’s ScraperDecryptor utility can decrypt files because of flaws in TorLocker’s implementation of the encryption algorithm.
Cisco Talos researchers found that earlier versions of TeslaCrypt claimed to use the asymmetric RSA-2048 standard to encrypt the files, but were actually using symmetric Advanced Encryption Security (AES) instead. The source code for the decryptor tool for that particular strain of TeslaCrypt is available on GitHub. Another version of TeslaCrypt has a flaw in the way encryption keys are handled, so files with certain extensions --.ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, and .vvv -- can be decrypted with the TeslaDecoder tool.
BitDefender has a script for Linux Encoder, the first Linux ransomware.
EmsiSoft’s Fabian Wosar developed the DecryptInfinite utility to reclaim files encrypted by CryptInfinite. Wosar also released a decryptor for files infected by Radamant, which changes file extensions to .rrk and .rdm, as well as Gomasom and LeChiffre.
“Some ransomware encryption mechanisms are not very sophisticated, so in those cases it makes sense to use a decryptor tool,” says Aviv Raff, co-founder and CTO of Seculert.
Several unsophisticated attack groups have based their ransomware variants from Eda2/Hidden Tear, an open source ransomware proof-of-concept from Turkish programmer Utku Sen. Sen had backdoored the code and has helped victims recover encrypted files. Ransomware based on this project include Magic, Linux.Encoder, and Cryptear.B, which means all of the encrypted files can be cracked.
In some cases, security companies successfully recovered decryption keys from the command-and-control servers, such as what Kaspersky Lab did for CoinVault and Bitcryptor victims.
A little luck goes a long way
Security experts disagree on the efficacy of these decryption tools. “These tools are ineffective,” says Norman Guadagno, chief evangelist at Carbonite. “Variants are being patched at a faster rate than we can defend against, making public decrypt codes obsolete.”
Sign up for Computerworld eNewsletters.