Incident response

Ransomware Authors Flunk Again and Again

David Balaban
July 11, 2016 by
David Balaban

It turns out that some crypto ransomware samples are not as sophisticated as they appear. The black hat hackers are just as error-prone as everyone else. Security researchers are busy finding their mistakes and exploiting them to defeat the encryption and help victims get their valuable files back. Furthermore, the emergence and rise of the Ransomware as a Service (RaaS) model has allowed wannabe cybercrooks, many of whom are script kiddies, to launch extortion campaigns of their own.

Thankfully, security vendors and enthusiasts have succeeded in cracking numerous ransomware strains over the past several months. The battle is on, but it's not all doom and gloom anymore.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Real-World Success Stories

  • Windows users who suddenly discovered that their valuable files were no longer accessible and had the encrypted extension appended to the filenames can now heave a sigh of relief. Emsisoft's Fabian Wosar managed to crack the crypto and created a free decrypt solution for the Apocalypse Ransomware. All it takes to obtain the private key is drag-and-drop an encrypted and unencrypted version of the same file onto the recovery tool's interface.
  • Fabian Wosar, the above-mentioned researcher, has also succeeded in getting around the ApocalypseVM ransomware, which utilizes the VMProtect technology to thwart reverse engineering of the Trojan's code. The decryptor allows victims to recover scrambled files with the .locked extension without having to pay up. The only requirement for successful retrieval of the private key is that the sample file must be at least 4096 bytes in size.
  • A Polish security enthusiast nicknamed 'hasherazade' created decryption tools for two editions of the 7ev3n ransomware. To use the first version of the decryptor, the victim needs to copy their unique ID mentioned in the FILES_BACK.txt ransom note and paste it into the appropriate field on 7ev3n Decoder GUI. The second build requires accurate information on the original folder where the sample file was stored.
  • The ransomware dubbed BadBlock isn't the most sophisticated strain ever, to say the least. In fact, it has quite a few technical flaws and may encrypt system executables along with the user's personal data. Such a silly approach can make the infected computer completely inoperable. Fortunately, Fabian Wosar from Emsisoft made the victims' day by creating a decrypt solution. The free tool calculates the private key based on the following input: an encrypted file and its unencrypted copy.
  • The year-long TeslaCrypt ransomware campaign, which was shut down in May 2016, had caused a great deal of trouble to thousands of users around the globe. Luckily, most of its editions could be cracked courtesy of a security expert nicknamed 'BloodDolly' and professionals at ESET. Both tools (BloodDolly's TeslaDecoder and TeslaCryptDecryptor, respectively) are capable of retrieving the decryption key, which can be used to decode all files or the data residing in a specified directory.
  • The users whose files became concatenated with the .777 extension and could not be opened due to ransomware impact, should, once again, give a shout-out to the Emsisoft team. The professionals reverse engineered this malware sample and found a weak link in the way the perpetrators implemented the cryptosystem. The lightweight decryptor allows all those infected to detect all .777 files and recover them automatically.
  • Although the Crypren ransomware, which appends the .encrypted string to filenames, demands a relatively low ransom of 0.1 Bitcoins (about $70) for decryption, it is quite a troublemaker. The users whose files were hit by this strain can get them back intact, courtesy of the Nyxbone online resource for malware analysis. The tool, which is readily available on GitHub, helps Crypren victims obtain the private decryption key and restore the scrambled data.
  • CryptXXX, one of the today's prevalent ransomware threats, is skillfully designed but isn't unbeatable either. Researchers over at Kaspersky Lab were able to devise a methodology to decrypt the first two iterations of this Trojan. The company's solution called RannohDecryptor has a module built in that beats CryptXXX encryption and restores the original versions of the victim's files in a matter of minutes. Experts at Kaspersky are now busy upgrading their software to crack the newer editions of this virus.
  • The novelty about DMA Locker ransomware is that it affects files on unmapped network shares along with mapped ones and local drives. Thankfully, researchers from Emsisoft found that the decryption key was built into the Trojan's binary. This allowed the experts to come up with a tool that automatically locates the key and decrypts data held hostage by two editions of the infection.
  • The odd thing about the infection called Alpha Ransomware is that its authors accept iTunes Gift Cards as a ransom payment option. It doesn't take a rocket scientist to track these payments down. Another fail by the extortionists is that they didn't implement the cryptosystem right. The flaw has allowed Michael Gillespie, a computer forensics expert also known as Demonslay335, to create AlphaDecrypter. This tool enables the infected Windows users to restore data in a selected directory, delete the encrypted copies and erase ransom notes.
  • The above software, RannohDecryptor by Kaspersky, covers several different ransomware families along with the latest CryptXXX pest. These strains also include the Rannoh ransomware proper, AutoIt, Crybola, Cryakl, and Fury. For the user's convenience, the utility can obliterate the skewed versions of files after successful decryption. Unfortunately, the tool cannot restore data jumbled by CryptXXX version 3 and onwards at this point.
  • The Jigsaw Ransomware isn't a run-of-the-mill sample because it erases some of the victim's files every hour incrementally until a ransom of $150 is submitted. Furthermore, it generates a creepy warning message with the image of the well-known movie character. Quite symbolically, the researcher who goes by the handle Demonslay335 released a decryptor for this sample. Before using the free JigSawDecrypter, a victim should terminate the ransomware processes (firefox.exe and drpbx.exe) so that the virus stops deleting data.
  • The ransomware called CryptoHost engages a great deal of bluff in its operation. Although its ransom note states that files were encrypted, what happens instead is the Trojan moves the data to an RAR archive and locks it with a password. Researchers discovered that the password is composed of the name of the RAR object and the current username. Before unlocking the archive, though, users should remove the ransomware.
  • The Cryptear.B incident would have never occurred if a Turkish researcher Utku Sen hadn't created a proof-of-concept ransomware dubbed Hidden Tear. Cybercriminals used the open-source code to create a real-world threat of their own. Luckily, Mr. Sen had incorporated an obfuscated backdoor in his product, which ultimately allowed him to obtain the master key for decryption.
  • An antimalware enthusiast nicknamed 'leostone' managed to defeat the encryption by Petya, an aggressive strain of ransomware that encrypts the infected machine's MFT (Master File Table) rather than files proper and demands 0.9 Bitcoins for decryption. To use the fix, a victim should go to a specially crafted website and enter two strings of Base64 encoded data located in specific places on the contaminated hard drive. The so-called 'genetic algorithm' then calculates the decryption key which, when entered onto the lock screen, makes the computer operable again.
  • The LeChiffre ransomware hit the headlines in January 2016 as it compromised large enterprise networks of banks and pharma companies in India. In spite of the ostensible sophistication of this sample, Fabian Wosar of Emsisoft created a decryptor for it in less than a day. The victims can simply download and run his tool, select the drive to decrypt data on, and wait for the recovery process to go all the way.
  • NanoLocker, another aggressive ransomware scourge, isn't unbeatable either. The success of decryption, though, relies on early detection. A researcher named Adam, who runs the Malware Clipboard site, did some analysis and discovered that if a would-be victim notices a CPU spike due to the resource-heavy encryption process and shuts down the PC or activates the hibernate mode immediately, they can use a decryptor that will dissect the configuration file and find the AES decryption key in it.
  • In early March 2016, a viable ransomware was discovered that targeted Mac OS X. Dubbed the KeRanger, it was circulating via a booby-trapped version of Transmission, a popular BitTorrent client. This sample is reportedly a spinoff of Linux.Encoder, whose encryption had been cracked by Bitdefender and Dr.Web. The latter company released a statement on March, 11 that they were able to decrypt KeRanger. The flip side of the coin, though, is that only registered Dr.Web customers could use the decryptor.
  • Due to a well-orchestrated operation by the Dutch National High Tech Crime Unit (NHTCU), Kaspersky Lab and Panda Security, two men (18 and 22 years old) were arrested on suspicion of infecting over 1,500 Windows computers with the CoinVault ransomware in more than 20 countries. Obviously, ransomware operators can suffer a real-world failure and end up in jail aside from simply getting their encryption defeated. This case also proves how effective a collaboration of the law enforcement with private third parties can get. Fortunately, all CoinVault victims got their decrypt keys and recovered the locked data.
  • Emsisoft's Fabian Wosar, a true ransomware slayer with multiple decryption cases in his portfolio, has also managed to disappoint the malefactors behind the CrypBoss ransomware family consisting of CrypBoss proper as well as HydraCrypt and UmbreCrypt. The researcher developed a tool that beats the asymmetric crypto and determines the private key for decryption. The infected user must drag-and-drop both a random encrypted file and its original backed-up version onto the decrypt_hydracrypt executable, which is available for download on Emsisoft's official web page.
  • As crypto ransomware is evolving and going cross-platform, it has also started affecting mobile devices. A campaign involving a sample known as Android.Lockdroid broke out in late January 2016. The infection leverages a sophisticated clickjacking technique to dupe Android users into authorizing its installation. This means people think they are pushing a 'Continue' button on a harmless app's dialog, but they are actually tapping an 'Activate' button on an obfuscated layer beneath the visible GUI. About 1,000 users reportedly fell for this trick, but fortunately, the built-in Verify Apps feature by Google prevented the setup from going all the way.
  • Gomasom, which is an acronym for Google Mail Ransom, is another nasty ransomware sample that appends a string with a Gmail address and the .crypt extension to affected files. It is particularly dangerous because it encodes executables along with personal data elements, which prevents programs and OS components from running. Once again, Fabian Wosar did a great job analyzing this threat and created a decryptor that extracts the private key. The already familiar drag-and-drop routine does the trick as long as the user has a ciphered and normal version of the same file.
  • Some ransomware makers end up feeling sorry about what they do and dump the information necessary for decrypting hostage data. The author of the Locker Trojan, for instance, uploaded a database with all public and private keys to Pastebin. These data turned out to be valid and enabled Locker victims to recover their files. Security analyst Nathan Scott devised the 'Locker Unlocker' tool, which automates the decryption process.
  • TorLocker, also known as the Scraper ransomware, originally targeted Japanese users and used a combo of AES-256 and RSA-2048 cryptosystems to lock data. Thankfully, researchers at Kaspersky Lab created the ScraperDecryptor application, which takes advantage of shortcomings in the crypto implementation and allows most of the victims to reinstate their files without paying the ransom of $300 or higher.
  • Malware analysists on the Cisco team managed to get around the first iteration of the infamous TeslaCrypt ransomware. In particular, they found that while the ransom notes mentioned RSA-2048 as the algorithm used in the attack, the actual standard was AES-256, a weaker symmetric cryptosystem. The command line utility called TALOS TeslaCrypt Decryptor obtains the master key based on the key.dat file that the Trojan creates in the computer's Application Data path.
  • In collaboration with NHTCU, the above-mentioned Dutch police unit, Kaspersky Lab came up with a tool that decrypts files scrambled by Bitcryptor. This sample reportedly belongs to the same family as CoinVault, whose distributors were caught and imprisoned in 2015. The decryptor uses a database of more than 14,000 keys to decode victims' data.
  • The RakhniDecryptor applet by Kaspersky beats the crypto implemented by a dozen of ransomware strains, including the widespread one that concatenates the helpme@freespeechmail(dot)org email address to filenames. A victim needs to download the tool, select the objects to scan (hard drives, removable drives and network drives), run the scan and wait for the decryption routine to complete. The program can also eliminate the encrypted versions of data components.
  • The Linux.Encoder.1 ransomware wasn't a successful startup for its ill-disposed creators and distributors. Although it attempted to cover the niche of Linux machines, the campaign failed because of a huge flaw in the generation of the AES keys. It turned out that the sample derived these keys from the system timestamp at the moment of file encryption. The Bitdefender team tailored a solution that retrieves these details automatically without having to deal with the RSA algorithm used to encrypt the AES keys.
  • CryptoLocker was once a big thing on the ransomware arena. The campaign was taken down by law enforcement agencies in June 2014, but numerous copycats followed the original infection. Experts at FireEye and Fox-IT had a response for these attacks. They set up a portal titled 'DecryptCryptoLocker', where victims could upload a random encrypted file and then receive their private decryption key and the automatic tool to recover the information. Since CryptoLocker went extinct, this service was discontinued as well.
  • Ransomware victims' best friend Fabian Wosar also devised a utility that recovers items encrypted by the CryptInfinite Trojan, which adds .crinf extension to filenames. After dragging and dropping two files, an original one, and its skewed copy, over the tool's executable, the victims are supposed to select the email address indicated in the ransom note and then wait for the brute forcing of the key to complete.
  • Courtesy of Mr. Wosar, the Radamant ransomware appending .rdm string to files could be decrypted as well. As opposed to his other tools, the Emsisoft Decrypter for Radamant doesn't need an input of an encrypted and unencrypted version of the same file. Instead, users should simply select a drive or directory, click 'Decrypt' and give it some time to do the recovery job.
  • Analysts at Cylance were able to beat the so-called 'Anti-Child Porn Spam Protection' ransomware, which was active in summer 2015. It turned one's valuable files into encrypted RAR items. The researchers circumvented the cryptographic facet of the attack and cracked the RAR password instead. To that end, they exploited the specific pseudo-random number generator used in this compromise.
  • Those who fell victim to CryptoTorLocker2015 didn't run into much trouble recovering from the attack. Having reverse engineered this sample, malware analyst and programmer Nathan Scott found that it had plenty of imperfections to allow easy decryption. In particular, by patching the Trojan's executable it was possible to make it accept any password as the right one.


The fact that so many breeds of ransomware have been decrypted is certainly promising. Whereas the security industry is still playing catch-up with the perpetrators, the online extortion business is no longer smooth and easy due to the combined efforts of the law enforcement, antimalware companies, and enthusiasts. Moreover, yet, relying on the release of a free decryptor alone is a road to nowhere, because there are still plenty of ransom Trojans that cannot be defeated. Therefore, a sound backup strategy is imperative to keep important data intact.

David Balaban
David Balaban