What to do? There’s a minor chance you can save your files without surrendering your wallet or trashing your PC entirely. A group of security researchers routinely examines the latest ransomware strains for flaws in their computer code, and develops free tools that can (sometimes) reverse the infection.
Michael Gillespie is among those researchers. He’s a programmer by day, but in his free time he works as a ransomware hunter for the New Zealand-based antivirus firm Emsisoft, a leading provider of ransomware decryptors. Desperate victims frequently reach out to him for help. “I can get anywhere from 50 to 200 people contacting me per day. It’s crazy,” he said in an interview.
Finding the Bugs
When a ransomware infection hits your PC, the malicious code encrypts your files and posts a note, demanding you pay up or never see your data again. If you give in, the hackers will (theoretically) send you a decryption key to recover your files. But like any piece of software, a ransomware strain can be buggy. Gillespie has exploited those vulnerabilities to create an estimated 100 decryptors, which anyone can download for free.
The bugs can happen for a number reason: The hacker behind the malicious code may be a newbie. Or the ransomware itself may be an early first version, and has yet to work out all its kinks. If there’s a weakness in the encryption algorithm—the crucial process that will turn your files into gibberish—then a researcher can potentially unravel a ransomware attack and reverse the infection.
(Gillespie has a YouTube channel devoted to ransomware decryption.)
“The golden rule is that crypto (cryptography) is hard, and ransomware developers are human too,” Gillespie said. Lately, victims have been reaching out to him for help to recover from the “STOP DJVU” strain, which often comes packaged with pirated software. Fortunately, Gillespie was able to create a decryptor since early versions of the attack embeded a usable decryption key to reverse the infection within the ransomware’s computer code.
“Ransomware authors, as a whole, really don’t learn,” said Fabian Wosar, chief technology officer at Emsisoft. Wosar began hunting ransomware in 2012, and since then, he’s created decryptors for an estimated 150 ransomware families or more, which he finds surprising.
(Emsisoft’s decryption tool list)
“Four years ago, I was 100 percent sure that by now we would never see a ransomware family again that had any flaws that we could exploit,” he said. “But we still see them at the same frequency.”
He suspects the biggest reason why is because rookie hackers are routinely trying their hand at ransomware. “A whole bunch of new people are joining the game,” he said. The more successful ransomware authors, on the other hand, can retire after raking in so many ransoms. “So we have a whole bunch of new people committing the same mistakes again and again.”
Foiling the Hackers
Wosar estimates there’s usually a one-in-five chance a brand-new ransomware strain can be successfully decrypted. Other strains have been reversed thanks to law enforcement agencies busting the hackers and retrieving decryption keys from their servers.
But many hackers behind the biggest ransomware attacks appear to be pros who continue to elude capture. Today’s most notorious ransomware strains—such as REvil and Ryuk—are likely linked to organized cybercriminal gangs that specialize in targeting businesses and city governments and have successfully extorted millions in bitcoin from victims.
(Ron Engelaar/AFP/Getty Images)
Researchers such as Wosar and Gillespie have made a major dent in some of the hackers’ earnings, with their individual decryptors downloaded tens of thousands of times.
So why are these researchers helping victims for free? It’s not exactly sound economics for an antivirus firm to create a decryptor at no cost. But it does generate good press for Emsisoft, which helps justify the time and effort.
“I feel like I’m doing my good part in the world, and getting my fame in,” Gillespie said. Fascinated by cryptography, he began tackling ransomware over four years ago as a hobby.
As for Wosar: “Personally, my biggest reason why I’m doing this is I really enjoy pissing off the ransomware authors.”
Still, foiling hackers can sometimes come at a price. Last year, Wosar left his home country of Germany over worries a ransomware author might one day try to track him down and send a hired killer. “At this point, we may have done $750 million in damages to all the different hacking groups,” he estimated. “It would only take a tiny fraction of that amount to send someone to visit me, and convince me not to write decryptors anymore.”
(Messages ransomware authors have left for Fabian Wosar over the years.)
Wosar says he’s currently “laying low” in the UK, where he continues to examine and decrypt the latest ransomware strains. He also keeps a digital folder with screenshots of all the times hackers have insulted him for decrypting their ransomware attacks. In 2016, one cybercriminal even created a malware strain named “Fabiansomware” to troll Wosar.
“It’s like flattery, almost,” Wosar said.
Emsisoft isn’t alone in developing ransomware decryptors. The industry, along with law enforcement, created Nomoreransom.org, which hosts various free decryptors, and has helped more than 200,000 victims recover from attacks, according to Europol.
US law enforcement is not part of the Nomoreransom.org project, though, likely because the website’s partners include Russian antivirus firm Kaspersky Lab and the Russian Ministry of Internal Affairs.
An FBI spokesperson told us the agency’s main role is with ransomware investigations, which can include privately consulting with victims on their recovery options. “We’ll point people to decryption keys that are publicly available, and tell them to use their best judgment,” the spokesperson added.
(The Nomoreransom.org site.)
Decryption Is Not a Salvation
Although the free decryption tools can provide some relief to the ongoing ransomware epidemic, they have their limits. That’s because ransomware authors can be quick to fix their creations.
“Whenever you release a free decryption tool, you are telling the bad guys to tweak their code,” said Jakub Kroustek, a security researcher at antivirus firm Avast, who also develops decryption tools. “If the hackers are clever enough, they will fix it.”
“There are two sides of this coin,” he added. “If a new ransomware strain arrives, and you’re the first victim, the chances are quite good there’s some flaw.” But those decryption tools can also help hackers refine and debug their attacks, making their ransomware creations resistant to future attempts at decryption.
As a result, it’ll take more than finding software bugs to stop the ongoing ransomware epidemic. Victims—including consumers, businesses, and governments—will need to stop giving into the ransomware demands, and focus on protecting their computers.
“The number one prevention tip is backups,” Gillespie said. “If all your safety nets fail, a backup is what can save your ass in the end.”