Ransomware attacks are something we’ve covered frequently here on TechGenix because of the negative consequences businesses face when their IT infrastructure becomes infected by ransomware. And because prevention is always the preferred approach to keeping your infrastructure healthy, we also have a number of articles on how you can protect your business from becoming infected. These articles have included a list of some of the best anti-ransomware tools available for PCs, a description of some Microsoft Windows and Office 365 features you can use to prevent and/or mitigate ransomware attacks, a bucket list of best practices for ransomware protection, and an explanation of how the File Server Resource Manager (FSRM) role service of the Windows Server platform can help safeguard your environment from ransomware. We also have an article that describes some practical steps you can take when an infection occurs to limit the scope of the damage that may occur. And for those who aren’t familiar with how ransomware works we’ve published this guide about what you need to stay safe in the increasingly dangerous world of ransomware.
You’re infected: What’s next?
What we haven’t talked much about until now however is what you can do, if anything, once your business has become infected by ransomware and your data is being held hostage. Obviously, one of the first things you should do is notify law enforcement. Depending on what industry sector your business occupies and the jurisdiction area you reside within, you may also be required to promptly make such notification. Ransomware attacks and the extortion attempts that accompany a successful infection are a criminal action and your business has a responsibility to cooperate with law enforcement agencies in their investigation of such attacks. Beyond doing this however, and if you are unable to restore your captive data from backups, you may not have to cough up the ransom money being asked for by the attackers. At least not yet.
The good news, somewhat ironically, is that ransomware attacks are now such a widespread problem that a large proportion of them may actually be recoverable from. This because of what I call the “Wannabe Syndrome,” and by this I’m not referring to the WannaCry ransomware that struck the world in May 2017 and is said to have affected more than 200,000 computers in more than 150 different countries. Instead what I mean is that every criminal and his dog now “wants to be” in on the action of extorting money from companies by attacking them with phishing emails that launch ransomware attacks on their businesses. And it’s these wannabe attacks that are the ones you may be able to recover from when your systems become infected by their “me too” ransomware.
Remember the “script kiddies” way back in the early years of this millennium? Carnegie Mellon defines them as hackers who “use existing and frequently well-known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet — often randomly and with little regard or perhaps even understanding of the potentially harmful consequences.” It’s that last bit about lack of understanding that’s important to understand about many of the ransomware attacks that are happening these days. Not lack of understanding of the consequences of ransomware infections, but rather a lack of technical understanding of the tools they’re using to initiate ransomware attacks.
Luckily, ransomware is not always good software
On the face of it once your data has been encrypted by a hostile actor it seems impossible to decrypt it without paying the ransom demanded for the necessary decryption key. Even with today’s supercomputers any encryption done with a sufficiently strong key can withstand brute-force decryption for much longer than your company would be willing to consent to — and much longer than age of the universe in many cases. The reality however is that wannabe ransomware attackers frequently don’t know what they’re doing when they create the software they use to perform ransomware attacks. As a result some ransomware software toolkits have flaws in how they implement cryptography. These flaws can include such things as poor encryption key generation techniques, inappropriate reuse of keys, improper key sizes, and leaving copies of the private key on the infected systems either on a storage device or within accessible memory.
Most of these flaws are likely a result of a lack of technical understanding on the part of the actors concerning the tools they’ve found on the Dark Web and the scripts and code they’ve cobbled together to utilize these tools and launch their attack. For example, their programmer might use snippets of code they find on an MSDN page concerning cryptography APIs without really understanding how the code works and what all the various parameters mean. As a result of their technical knowledge, any data their software encryptions might actually be easily decrypted by anyone having expert knowledge of these cryptography APIs. And since normal production code in any case often has bugs that either haven’t been discovered or are deliberately ignored for various reasons, the way encryption has been implemented in such toolkits might simply be buggy and open to allowing decryption.
The server from which the malicious actor has launched his attack may also be vulnerable in ways that could benefit you if your business has been infected. So if for example the private key you need to recover from the infection is being stored on the server used to launch the attack, it might be possible to compromise this server, obtain the private key, and decrypt the captive data on your systems. And even if you don’t have the necessary expertise yourself to hack the attacker’s server, you might be able to find a legitimate company in the information security business that has experts who have such abilities. In fact they may already have the key you need for decrypting your data since many wannabe ransomware attackers use the same keys for performing all their attacks. It may also be that someone else gave up and paid the ransom demanded by the same malicious actor that has infected your own business, and this has surfaced a key that other companies like yourselves who have been attacked by this actor can now use to easily recover from the infection.
Where to get help after a ransomware infection
Where can you find an information security company that has expertise in recovering systems and data from a ransomware attack? You might start by asking the law enforcement officials you contact. Another possibility to pursue is your antivirus software vendor as these companies need to be skilled in using low-level APIs to build the software they use to protect systems from malware. They also often have access to a wide range of telemetry information that can help them understand how malware works and the limitations of ransomware software. And finally, you may want to contact the IT heads of a few organizations that have experienced ransomware infections to see whether they can recommend any security vendors who might be able to help you recover from your infection and avoid having to pay the ransom being demanded from your company.
Featured image: Shutterstock
