“Nothing personal, just business” – this vanilla phrase is often seen in ransom notes dropped by file-encrypting Trojans. It comes as no surprise that ransomware makers are generally thought of as ruthless, money-craving individuals who don’t care about their victims’ current circumstances and the damage they cause by locking down precious data, writes the computer security researcher David Balaban, pictured.
Believe it or not, wicked architects of these extortion campaigns break the stereotype every now and then. Since 2013 when the crypto ransomware beast first showed its ugly fangs with the emergence of the notorious CryptoLocker strain, there have been cases where cybercriminals spilled decryption keys into the wild. These moves allowed victims to get their files back for free with no strings attached.
What’s the point?
Although it’s hard to say for sure what exactly motivates black hats to take such an unexpected route once in a while, there are several theories. Most of the past releases co-occurred with ransomware operators calling it quits, so this could be a display of compassion combined with the fact that the decryption keys become useless for the crooks at some point. Also, when a ransomware campaign gets out of hand and wreaks too much havoc, malefactors might fear a large-scale law enforcement action against them and publish the keys to ease the grip and steer clear of imminent prosecution. Yet another plausible scenario is that extortionists may sabotage their competitors by stealing and spilling the keys for more successful ransom Trojans.
The top cases to date
One way or another, sometimes seasoned cybercriminals act out of the box. Whereas that’s definitely some good news for those infected, it’s an exception rather than the rule. On a side note, security researchers and government agencies are active players in this arena. Their efforts to retrieve private keys have been successful in some episodes. The GandCrab ransomware story, which will be described further down, exemplifies the white hats’ contribution to countering the epidemic and restoring victims’ data. Below is a summary of ransomware decryption key releases that hit the headlines over the years.
● TeslaCrypt closure: apologies and master key in the same bundle
TeslaCrypt, one of the earliest competently tailored ransomware samples that debuted in 2015, pioneered in giving away the details required to restore hostage data for free. In May 2016, its authors replaced the original content of their Tor payment site with a kind of farewell message that said, “Project closed. We are sorry”. It additionally included a long string of hexadecimal characters, which turned out to be the master key that could decrypt every TeslaCrypt victim’s files. Malware analysts confirmed its validity and shortly created an automatic decryption tool.
● A surprise gift from CrySiS ransomware author
The makers of the CrySiS ransomware, another oldie in the niche of digital extortion, also decided to lend their victims a helping hand. In November 2016, an anonymous user nicknamed “crss7777” posted a message on the Bleeping Computer cybersecurity forum, listing the data recovery steps for the ransom Trojan. The presumable developer of CrySiS also provided a Pastebin link leading to a header file with the decryption keys and extra recovery details in it. Software engineers at Kaspersky used this information to update their RakhniDecryptor application so that it could support all variants of this ransomware.
● Dharma ransomware keys unearthed
Dharma ransomware distributors took a sharp turn in their activities in March 2017. An individual going by the alias “gektar” uploaded a C header file to Pastebin containing the entirety of private decryption keys for the predatory program. Whereas this person’s role in the ransomware campaign was unclear, researchers verified and confirmed the authenticity of these secret strings. As was the case with CrySiS, the Kaspersky team integrated the keys with their existing recovery solution RakhniDecryptor. This allowed Dharma victims to get their files back free of charge.
● A generous move of BTCWare group
In May 2017, the threat actors in charge of the BTCWare ransom Trojan pulled the plug on their project and published the master private key on the above-mentioned Bleeping Computer site. Later on, analysts found that it only supported two out of four variants of this ransomware, namely the ones that appended the .btcware and .cryptowin extensions to victims’ files. Thankfully, all BTCWare iterations were cracked by Avast the same month. The tool leveraged a brute-force technique to obtain the keys instead.
● Wallet ransomware keys published, but with a caveat
Another lineage dubbed the Wallet ransomware became decryptable in May 2017. Its unscrupulous proprietors showed a little bit of morality by releasing 198 master decryption keys via the Pastebin resource. Researchers from Avast and Kaspersky seized the moment and enhanced their previously created decryptors to crack the cipher and help users unscramble hostage files with the .wallet extension. The fly in the ointment was that the extortionists moved on with their dirty business by starting to distribute a new variant that stained files with the .onion string.
● Master decryption key disclosed by Petya ransomware maker
A cybercriminal calling himself “JanusSecretary,” who claimed to be affiliated with the destructive Petya ransomware campaign, made the master decryption key available to the public in July 2017. He posted a tweet containing a link to the Mega.nz cloud collaboration platform. A password-protected file on the resulting page held the secret character combo required to defeat the encryption of the original Petya ransomware as well as its spinoffs, Mischa and Goldeneye.
The victims could heave a sigh of relief because the trio caused more harm than the average ransom Trojan out there. Instead of just locking down one’s data, these perpetrating programs deleted the master boot record (MBR) and encrypted the master file table (MFT) on compromised machines. This prevented the infected computers from booting up. It’s worth mentioning that the key didn’t work for NotPetya, a copycat infection that broke out in June 2017 and spread a great deal of mayhem around the world.
● GandCrab keys retrieved by the FBI
GandCrab, a once-dominant ransomware family, halted its operations in June 2019. Its authors posted the corresponding announcement on a hacking forum Exploit.in, claiming to have earned a whopping $150 million during a year and a half of their foul play. Several weeks later, the FBI released master decryption keys for this strain. The federal agency, in collaboration with eight European law enforcement institutions, most likely obtained this data by accessing GandCrab’s Command and Control infrastructure. Security software vendors could use the keys to mastermind free decryption tools allowing the victims to undo the malicious cryptographic impact.
● Giveaway keys from Shade ransomware crew
This is the latest case. The authors of the Shade ransomware, a long-running threat active since 2014, abandoned their campaign in April 2020. Malware analysts had predicted this shutdown based on a dramatic decline in the propagation of Shade since late 2019. The felons ended up uploading more than 750,000 decryption keys to a GitHub repository. Furthermore, they provided their automatic tool to restore the skewed data. This decryptor is crudely designed, though, and the victims may have a hard time using it. To facilitate the recovery process, researchers at Kaspersky are reportedly working on an update to their user-friendly solution that will leverage the leaked keys.
Although releases of ransomware decryption keys are extremely rare, they are definitely welcome and make numerous victims’ day. It remains a mystery why cyber extortionists occasionally deviate from their normal practices. It could be a gesture of goodwill, especially when the crooks “close shop” and aren’t willing to follow a scorched earth tactic. Some security experts argue that the malefactors may do it to escape the law enforcement spotlight and avoid excessive pressure from investigators. The theory about conspiracies to ruin competing ransomware campaigns also seems reasonable.
No matter what’s on the criminals’ mind, computer users need to focus on preventing different types of ransomware attacks. Some basic digital hygiene can do the trick most of the time. It suffices to refrain from opening suspicious email attachments, say no to software downloads from unofficial sources, and keep the operating system up to date. Additionally, a rule of thumb is to back up important files and store them offline or use a secure cloud service. Even if your data has been encrypted by ransomware, consider moving it to a separate folder so that you can recover it at a later point if the attackers dump their keys or researchers create a free decryption tool.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.