The disadvantages of “debugging” ransomware

The decision to release a ransomware decryptor involves a delicate balance between helping victims recover their data and alerting criminals to errors in their code.

Ransomware, the security scourge of the modern digital world, is becoming more and more dangerous. We educate users on what to do, but it’s hard to stay ahead of the killer encryption sprinkled liberally around layers of obfuscated digital trails that hide the bad guys’ deeds and your files. Meanwhile, the toll is burying businesses and tying the hands of lawmakers begging for a solution. But if we open the keys to the ransomware, won’t we just help the bad guys improve it next time?

Earlier this month, at a digital workshop in the heart of the Czech Republic, ransomware decryptor developers shared with attendees how they cracked some of the code and recovered user data. Through careful analysis, they sometimes found errors in the bad guys’ implementations or operations, which allowed them to reverse the encryption process and restore the scrambled files.

But when the good guys announce the tool to the public, the scammers quickly reconfigure their wares with tactics that are “more completely unhackable”, preventing searchers from opening the next batch of files. Basically, researchers are debugging crooks’ wares for them in a non-virtuous cycle.

So we’re not fixing it, we’re chasing it, reacting to it, painting over the damage. But any success may be transitory, as recovering most of the devastation remains impossible for small businesses that felt they had to pay to stay in business.

Governments – despite their good intentions – are also reactive. They can recommend, help with the incident response process, and perhaps send support, but that’s also reactive and offers little comfort to a freshly gutted company.

So they move on to tracking finances. But bad guys are usually good at hiding – they can afford all the right tools by paying the big bucks they just stole. And, quite frankly, they may know more than many government actors. It’s like chasing an F1 race car with a reasonably fast horse.

Either way, researchers need to be more than beta testers for the bad guys.

Nor can you simply detect and block cyber criminals’ tools, as they can take advantage of standard system tools used for the day-to-day running of your computer; they may even be delivered as part of the operating system. Open source tools are the glue that holds the whole system together, but can also be the glue that holds the ransomware encryption process that locks down the system.

So you are left to figure out how the criminals act. Having a hammer in your hand in a mechanic’s shop isn’t bad until you hit yourself against a window to break it. Similarly, the detection of a suspicious action makes it possible to detect the start of an attack. But doing this at the speed of the new attack variants is difficult.

Here in Europe, there are tremendous efforts to bring governments from various countries together to share information on ransomware trends, but the groups leading these efforts are not directly law enforcement; they can only hope that the law enforcement jurisdictions act quickly. But it doesn’t happen at the speed of malware.

The cloud has certainly helped, as security solutions can take advantage of it to provide up-to-the-minute pre-attack scenarios that your computer must trigger to stop an attack.

And it shortens the lifespan of effective ransomware tools and techniques so that they don’t make a lot of money. It costs bad guys money to develop good ransomware, and they want a return on their investment. If their payloads only work once or twice, it doesn’t pay off. If it doesn’t pay off, they’ll go do something else, and maybe the organizations can get back to business.

Back up drive

A pro tip from the conference: back up your encrypted data if you get hit by ransomware. In case a decryptor is finally released, you might still have a chance to restore lost files in the future. Not that it helps you right now.

The best time to back things up is, of course, when you’re not being ripped off by ransomware, but it’s never too late to start. Although it’s over ten years old at this point, WeLiveSecurity’s guide to backup basics still provides practical information on how to tackle the problem and develop a solution that works for your home or small business. .

ESET against ransomware

In case you’re wondering where ESET is at with creating ransomware decryptors, we take a mixed approach: we want to protect people from ransomware (which we often categorize as Diskcoder or Filecoder malware), as well as provide ways to retrieve the data. At the same time, we do not wish to alert the criminal gangs behind this scourge that we have done the technological equivalent of opening their locked doors with a set of digital lock picks.

In some cases, a decryptor may be published and made available to the public via the ESET Knowledgebase article Standalone malware removal tools. At the time of publication, we have about half a dozen decryption tools currently available there. Other such tools are available on the website of the No More Ransom initiative, of which ESET has been an associated partner since 2018. In other cases, however, we write decryptors but do not publish information publicly. About them.

The criteria for announcing that a decryptor has been released varies with each piece of ransomware. These decisions are based on careful evaluation of many factors, such as the prolificacy of the ransomware, its severity, how quickly the ransomware authors fix coding bugs and flaws in their own software, etc. Even when parties contact ESET for assistance in decrypting their data, specific information about how the decryption was performed is not shared publicly in order to allow the decryption to work for as long as possible. We believe this provides the best compromise between protecting customers from ransomware while still being able to help decrypt ransomware files for as long as possible. Once criminals are aware that there are flaws in their encryption, they can fix them, and it can take a long time before other flaws can be found that allow data to be restored without their owner is extorted.

Dealing with ransomware, both its operators and the ransomware code itself, is a tricky process, and it’s often a game of chess that can take weeks, months, or even years to complete. unfold as the good guys fight the bad guys. ESET’s perspective is to try to do as much good as possible, which means helping as many people as possible for as long as possible. It also means that if you come across a system affected by ransomware, don’t lose hope, there is always a chance that ESET can help you recover your data.

Ransomware might be a problem that won’t go away anytime soon, but ESET is ready to protect you against it. However, preventing it in the first place is always much better than curing it.

Previous Mark Noble's farewell defuses Manchester City title defense drama | West Ham United
Next Marvel's Midnight Suns Potential Release Date Leaked Via Korean Website