What now? Ransomware victim pays hacker, but decryption key fails

Alfonso Maruccia

Posts: 2,570   +956
Staff
Bottom line: Victims of ransomware attacks are typically advised not to pay the ransom demanded by cybercriminals. Paying up offers no guarantee that the attackers will uphold their end of the deal, like providing access to encrypted files.

GuidePoint Security recently acted as a "negotiator" between an unnamed company and the group behind the Hazard ransomware. The malware infected the victim's systems, encrypting "important" files and demanding payment to unlock them. The company reportedly felt compelled to pay, but the "decryptor" provided by the Hazard creators didn't work as expected.

While dealing with unreliable decryptors isn't common, GuidePoint explained, things in the malware world can sometimes behave unpredictably. After negotiating with the cybercriminals, the researchers were tasked with investigating why the newly acquired decryption tool was unable to restore the encrypted files.

The root cause was a bug in the encryption payload used by the Hazard ransomware. "A race-condition occurred when the threat actor executed multiple encryptors on the same system," GuidePoint determined. Each file was encrypted a second time before being renamed with a new extension, resulting in missing bytes within a chunk of data appended to the original file.

The appended data was required to recover the encryption initialization vector (IV), but the last three bytes were missing after encryption. Since the IV was pseudo-randomly generated by the encryption payload, retrieving the missing bytes initially seemed impossible.

The ransomware creators were likely unaware of this bug in their malware. After identifying why the decryptor wasn't functioning, GuidePoint attempted to escalate the issue with the Hazard "technical support" team. However, the threat actors merely provided the same decrypting tool under a different name before disappearing.

As the encrypted files were valuable, GuidePoint was tasked with developing a working solution. The researchers succeeded by adopting a brute-force approach, testing all possible combinations for the missing bytes in the IV, ultimately recovering the clean files.

Costs associated with ransomware incidents are on the rise, and even "zombie" malware operations like LockBit 3.0 continue to claim victims. After dealing with a faulty decryption tool, GuidePoint emphasized that ransom payments should never be made. Adopting best practices for data backups is crucial, and even backing up encrypted data can be helpful in unique situations like the recently disclosed Hazard incident.

Permalink to story:

 
I went a cybersecurity conference and you know what the industry professionals said in the ransomware panel?

Never involve law enforcement and always pay the ransom or you’ll never get your data back. I found that rather unsatisfying, instead of focusing on proper backup methods, they pushed that narrative.

Then again, the speakers were much like the folks in this article, negotiators or mediators who represent you when dealing with the cyber scammers.
 
I went a cybersecurity conference and you know what the industry professionals said in the ransomware panel?

Never involve law enforcement and always pay the ransom or you’ll never get your data back. I found that rather unsatisfying, instead of focusing on proper backup methods, they pushed that narrative.

Then again, the speakers were much like the folks in this article, negotiators or mediators who represent you when dealing with the cyber scammers.

Or you know, they are probably the ones doing the encrypting. Bit like big pharma, cause the problem and sell the solution...
 
"We paid the criminals the ransom, the decryptior didn't fix it, and they've now run off with the money, do these people have no shame or honesty??"

The irony writes itself, its like a burglar saying he is only "borrowing" your things and you believe him...
 
I went a cybersecurity conference and you know what the industry professionals said in the ransomware panel?

Never involve law enforcement and always pay the ransom or you’ll never get your data back. I found that rather unsatisfying, instead of focusing on proper backup methods, they pushed that narrative.

Then again, the speakers were much like the folks in this article, negotiators or mediators who represent you when dealing with the cyber scammers.
Probably cyber-criminals themselves or working with them.
 
Backup.
Backup off-site.
Backup off-site in different location.
Restore from backups regularly.
Validate restored backups.

No backup is a backup until it's restored.


the intruders get your data encrypted and your backups have your backup encrypted ..for days even for months.

they ensure that you don't have backups before they turn the switch and you get notification that you are hacked.


 
"We paid the criminals the ransom, the decryptior didn't fix it, and they've now run off with the money, do these people have no shame or honesty??"

The irony writes itself, its like a burglar saying he is only "borrowing" your things and you believe him...
Well yes. But if you think about it, it's in their interest to give decryption keys to victims who paid. If people will see that they can get their data back by paying, they will.
 
Probably cyber-criminals themselves or working with them.
I constantly tell people, two flash drivers for bootable media. Two external hard drives (one of those external hard drives, one that you never connect to your computer, when connected to the internet) and True Image or some other comparable imaging software for creating backups. The reason two flash drives, and two external hard drives? You need two copies of a backup, one for each external hard drive, and because flash drives, and hard drives fail, you need two, because drives or flash drives, never fail at the same time.
 
Show me where I am wrong? Of course, just a conspiracy theory for the virus companies.
Virus companies, and tech magazines, make money by reporting these viruses or possible viruses. Truth is, most end users do NOT get that many viruses, unless they are visiting sites they shouldn't be visiting or sites that are well known for viruses. Porn sites, etc... You can avoid most of this by smart "clicking" practices, and certainly not clicking on emails from those you don't know, etc... Using a good image and cloning software is paramount. Diligence always pays off at some point. I lost 1TB of movies years ago! And, while I got most of them back, I vowed that would never happen again. I bought an Acronis True Image disc ($23) in 2013. It still works on my Windows 7 Pro machine. You don't have to update, or renew like you do now.
 
Virus companies, and tech magazines, make money by reporting these viruses or possible viruses. Truth is, most end users do NOT get that many viruses, unless they are visiting sites they shouldn't be visiting or sites that are well known for viruses. Porn sites, etc... You can avoid most of this by smart "clicking" practices, and certainly not clicking on emails from those you don't know, etc... Using a good image and cloning software is paramount. Diligence always pays off at some point. I lost 1TB of movies years ago! And, while I got most of them back, I vowed that would never happen again. I bought an Acronis True Image disc ($23) in 2013. It still works on my Windows 7 Pro machine. You don't have to update, or renew like you do now.
You don't even need anti-virus for personal users, just a good ad-block will be enough.
In rare occurrences, software from reputable websites can have viruses as well. No one is 100% safe of course but the bad actors usually go for larger targets for more money.
ScammerPayback channel doing god's work.

 
Back