Kaspersky's new decryption tool can unlock select ransomware

[Shawn Knight]

Ransomware is something you’ll hopefully never have to deal with but should your system somehow become infected, there’s now a new tool that may be able to unlock it without having to fork over any money.

For those unfamiliar, Ransomware is the general term given to a category of malware that prevents users from accessing certain types of files on their computer. Some instances even lock down the entire PC, using scare tactics (and pure frustration) to convince users to hand over money to have their system files unlocked.

The Dutch police’s National High Tech Crime Unit (NHTCU) recently happened upon a database of decryption keys on a CoinVault server. CoinVault is a piece of ransomware for Windows systems that has been circulating among nefarious hackers since last November.

The team commissioned Kaspersky Labs to build a decryption tool based on these keys that attempts to unlock ransomware-laden PCs. Given the nature of the tool and the limited decryption keys, this solution obviously won’t work for everyone but there’s no reason not to give it a try.

As authorities continue their investigation into the CoinVault ransomware, it’s possible that they could unearth even more decryption keys that could be added to Kaspersky’s tool.

As for the investigation itself, Dutch police haven’t arrested any suspects yet. That could happen soon, however, as authorities believe the individual(s) behind the CoinVault ransomware may be living in the Netherlands.

Thumbnail via ITPortal

Permalink to story.

https://www.techspot.com/news/60359-kaspersky-new-decryption-tool-can-unlock-select-ransomware.html

 

[Skidmarksdeluxe]

If I'm ever unfortunate enough to get infected by it I'll simply format my machine again. There's no way on God's green earth I'll ever fork over any moolah to those turds.

 

[AnonymousSurfer]

If I'm ever unfortunate enough to get infected by it I'll simply format my machine again. There's no way on God's green earth I'll ever fork over any moolah to those turds.

Well said. But most people don't know how to backup their hard drives let alone format them. It's sad to see people fall victim to these ransomware viruses and fork over their hard earned money

 

[amstech]

Pretty impressive screen, people are so dumb these days I can see them forking over the money. Sorry not trying to be a d***, just saying.

 

[Guest]

The stupid ransomware fked it up for everyone. now I can't even buy moneypak cards anymore, and I hear they're being fully phased out this year

 

[Skidmarksdeluxe]

Well said. But most people don't know how to backup their hard drives let alone format them. It's sad to see people fall victim to these ransomware viruses and fork over their hard earned money

Wouldn't rolling back to an earlier restore point work? I'm asking because I really don't know, I disable system restore on my desktop but most people don't.

 

[oldikes]

Well said. But most people don't know how to backup their hard drives let alone format them. It's sad to see people fall victim to these ransomware viruses and fork over their hard earned money

Wouldn't rolling back to an earlier restore point work? I'm asking because I really don't know, I disable system restore on my desktop but most people don't.

I imagine the restore point files are also encrypted?

 

[madboyv1]

Well said. But most people don't know how to backup their hard drives let alone format them. It's sad to see people fall victim to these ransomware viruses and fork over their hard earned money

Wouldn't rolling back to an earlier restore point work? I'm asking because I really don't know, I disable system restore on my desktop but most people don't.

IIRC, System Restore generally does not modify user files, but rather creates a snapshot before the registry is changed, catalogues what system files are being changed, and creates a backup repository of old files in the case it is reverted. What you're thinking of is closer to Volume Shadow Copies which is more aimed at user data, but can also be used for entire volumes. The problem is most ransomware is smart enough to silently delete all shadow copies and in some cases, all restore points as well.

The only surefire way to recover from an encryption ransomware is to keep a backup of your data that is not attached to the computer or accessible via the network, as there are some ransomware that'll follow mapped drives and even shortcuts to network locations.

 

[Scott Petrack]

Well said. But most people don't know how to backup their hard drives let alone format them. It's sad to see people fall victim to these ransomware viruses and fork over their hard earned money

Wouldn't rolling back to an earlier restore point work? I'm asking because I really don't know, I disable system restore on my desktop but most people don't.

I imagine the restore point files are also encrypted?

Sometimes yes, often no. I was hit with a UK-version (the "Ukash" or "metropolitain police" virus) in January of 2013. The infamous splash-screen appeared at 10AM. I was VERY angry, because I got the virus in a very stupid manner: I had let a friend use my laptop to read her email, and she was too stupid not to click on some random supposedly amusing supposedly Youtube supposed video. In any case, I immediately switch the machine off and did a System Restore and within minutes it was as if nothing had ever happened....

"AS IF", I say, because that evening when I went back to check that truly things were ok, I only then noticed the ransom note on my desktop. To make a long story short, several thousand files had been encrypted during the 20 minutes or so preceeding the splash screen. I have no idea how some files were chosen for encryption and others were not.

In fact, at the time, I didn't realize that System Restore can protect documents as well as system files. In fact, I found this out rather randomly some time later when I noticed the "restore" tab in the properties of an affected file. I was so thrilled, I thought that all I had to do when I came across an infected file would be to restore it. I didn't realize that System Restore periodically/occasionally 'refreshes' its restore-copy. If I had immediately restored each infected file, I would have got them all back. I didn't of course, because I didn't want to restore any intact files (and risk losing recent changes), Without realizing it, as time went on, more and more of the 'good' restores got replaced by shadow copies of the infected file. By the time I realized what was happening, it was more a case of "what had happened" -- About 1000 files were lost forever. Since this happened in January 2013, I doubt that the Kaspersky tool will help me.

Actually, many of the files were videos, and I see from looking at the files that in fact the virus does so much damage because it DOESN'T encrypt the whole file. It seems just to encrypt the first 8K or so. But for many video file formats, a file of 4GB+ can be rendered useless by randomizing just this first 0.02% of the file. If anyone knows of a tool for creating a good header for such a video file by guesswork, heuristics, and open access to the last 99.98% of the video, I would be grateful for a pointer to it.

Moral of the story: Sometimes System Restore really can be your friend. But you have to use it if you want it to do something . Oh well

scott

 

[Skidmarksdeluxe]

I imagine the restore point files are also encrypted?

Thanks. It makes sense that they would be.

 

[Skidmarksdeluxe]

Sometimes yes, often no. I was hit with a UK-version (the "Ukash" or "metropolitain police" virus) in January of 2013. The infamous splash-screen appeared at 10AM. I was VERY angry, because I got the virus in a very stupid manner: I had let a friend use my laptop to read her email, and she was too stupid not to click on some random supposedly amusing supposedly Youtube supposed video. In any case, I immediately switch the machine off and did a System Restore and within minutes it was as if nothing had ever happened....

"AS IF", I say, because that evening when I went back to check that truly things were ok, I only then noticed the ransom note on my desktop. To make a long story short, several thousand files had been encrypted during the 20 minutes or so preceeding the splash screen. I have no idea how some files were chosen for encryption and others were not.

In fact, at the time, I didn't realize that System Restore can protect documents as well as system files. In fact, I found this out rather randomly some time later when I noticed the "restore" tab in the properties of an affected file. I was so thrilled, I thought that all I had to do when I came across an infected file would be to restore it. I didn't realize that System Restore periodically/occasionally 'refreshes' its restore-copy. If I had immediately restored each infected file, I would have got them all back. I didn't of course, because I didn't want to restore any intact files (and risk losing recent changes), Without realizing it, as time went on, more and more of the 'good' restores got replaced by shadow copies of the infected file. By the time I realized what was happening, it was more a case of "what had happened" -- About 1000 files were lost forever. Since this happened in January 2013, I doubt that the Kaspersky tool will help me.

Actually, many of the files were videos, and I see from looking at the files that in fact the virus does so much damage because it DOESN'T encrypt the whole file. It seems just to encrypt the first 8K or so. But for many video file formats, a file of 4GB+ can be rendered useless by randomizing just this first 0.02% of the file. If anyone knows of a tool for creating a good header for such a video file by guesswork, heuristics, and open access to the last 99.98% of the video, I would be grateful for a pointer to it.

Moral of the story: Sometimes System Restore really can be your friend. But you have to use it if you want it to do something . Oh well

scott

You went to so much effort and explained in so much detail that I have to give you a like for this. Thanks.