When paying to escape ransomware goes wrong
The financial success that underlines today’s ransomware-style cyberattacks is helping foster a marketplace to sell, buy and develop different versions of the malware. However, in the race to create ransomware variants, experts tell CyberScoop that hackers occasionally design faulty software that ultimately fails to do what it promises: decrypt a victim’s data once a ransom is paid in full.
The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received, FBI Unit Chief for Major Cyber Crimes Jeffrey Coburn said Tuesday while speaking at a cybersecurity conference hosted by AFCEA DC. The bureau’s official stance on ransomware is that victims should not comply with any of the attackers’ demands.
Poorly developed ransomware has gone hand-in-hand since the malware has risen in use over the last two years. In 2014, Trend Micro researchers discovered a critically flawed ransomware variant known as Power Worm. The ransomware was among the first known case to implement an encryption routine that mistakenly forgets its decryption key.
“You see situations [today] where ransomware attackers are so amateurish that they don’t know how to properly empower hospitals to de-encrypt data once the ransom is paid,” said Robert Lord, cofounder of Protenus. In such cases, a victim may pay the hacker’s ransom but will still lose access to files due to technical issues, including data corruption.
A majority of failed ransomware transactions “result from poor management practices by the ransomware operator, whereby the operator loses track of the decryption keys that corresponds to any particular computer,” explained Adam Malone, director of cyber investigations and breach response at PwC.
He added, “Modern ransomware infrastructure typically relies on a Command and Control infrastructure to coordinate its activity. [And] most internet service providers and data centers would consider this type of activity illegal, which could lead to the infrastructure being taken down and the decryption keys being unretrievable.”
Broadly speaking, those who launch ransomware attacks have an ingrained incentive to make sure their demands are clearly understood, complied with and dually respected so that payments are made, explained Serge Jorgensen, cofounder and chief technology office for security and data forensics consulting firm Sylint. Newer ransomware variants, in this vein, generally tend to be more reliable in that payment leads to successful decryption and occasionally “customer service” tools are offered, experts say.
“If a company believes that, for example, a version of [ransomware variant] CryptoLocker isn’t reliable then they won’t bother making the payment,” said Jorgensen, “reputation actually means a lot for these guys.”
Roughly 40 percent of victims that chose to pay their ransomware payments subsequently regained access to files, Jorgensen said referencing Sylint’s customer base to date. Over the last four months, however, that percentage has increased to nearly 90 percent as a result of what Jorgensen described as the overwhelming use by hackers of just a few, more proven variants.