When You Pay A Ransom And The Decryptor Doesn’t Work

For C-suite execs and security leaders, discovering your organization has been breached by network intruders, your critical systems locked up, and your data stolen, and then receiving a ransom demand, is probably the worst day of your professional life.

But it can get even worse, as some execs who had been infected with Hazard ransomware recently found out. After paying the ransom in exchange for a decryptor to restore the encrypted files, the decryptor did not work.

The Register did not talk to the victim organization in this case – its executives declined to be interviewed about their experience – so we don’t know the specifics.

Still, we assume that coming to the conclusion that the best way out of the situation was to pay the extortionists – for concerns about customers’ and employees’ data privacy, or to bring business operations back online, or to minimize reputational damage, or because there just weren’t any backups (oops) – was a pretty painful decision in itself.

But then to pay the criminals and still not be able to recover the files? That’s excruciating.

“Ransomware as a whole is extremely stressful for the victim,” said Mark Lance, ransomware negotiator with GuidePoint Security. “Now in this circumstance, specifically, where they’ve made the payment and the decryption tools don’t work,” the stress levels ratcheted up several notches.

We had two that occurred, where the decryption tools didn’t work, in the span of the week.

“In this, and in a lot of situations like this one, they’re relying heavily on those decryption capabilities working on certain systems so that they can recover operations,” Lance told The Register.

“So the stress substantially increases because they’re like, ‘Hey, we made this large ransom payment amount with established terms that said if we paid we’re going to get access.'”

After first having no success unscrambling their files, the infected organization obtained an updated version of the decryptor from the criminals, but that wasn’t working either. A third-party company that had been involved in the ransomware negotiations called in GuidePoint, which first tried the criminals’ “technical support” desk and told them that the victim needed a different version of the decryptor.

But instead of providing a tool to unlock the encrypted files, the criminals sent over a renamed version of the previous decryptor. “And at that point, they went quiet and were no longer communicating with the victim,” Lance said. “I think, in this instance, it was probably over the heads of the technical support team.”

Whatever the reason, the org couldn’t access the locked files, and the Hazard ransomware crew disappeared. Eventually, GuidePoint was able to patch the decryptor binary and then brute-forced 16,777,216 possible values until some crucial missing bytes in the cryptographic process were determined, ultimately producing a working tool for decrypting the files.

It’s a good reminder, however, that paying a ransom isn’t a guarantee of data recovery.

What to expect when you’re decrypting

“One of our primary tasks is educating the victims on what they can expect and what is going to transpire as part of the ransomware incident,” Lance explained.

“We’re also always establishing that regardless of anything that is agreed to, you’re still dealing with criminals – these are the same people who are extorting you for money. Despite how they love to talk about how they’re doing you favors, and they have a 100 percent success rate for decryption, you’re dealing with cyber criminals, so you can’t trust them.”

The frequency of instances like this, where the decryptor doesn’t work, “ebbs and flows,” he added.

GuidePoint hadn’t had it happen in months during the ransomware negotiations and incident responses the team had performed, “but then we had two that occurred, where the decryption tools didn’t work, in the span of the week.”

Some of the more “sophisticated” ransomware-as-a-service groups have internal technical support teams to perform more advanced troubleshooting. Lance noted his team has seen these crews escalate the problem to the more technically advanced members of the crime gang when things break – just like a regular, non-criminal IT operation.

There’s also the newbies and the less sophisticated crews that lack the technical skills or even the reputational concerns – more about that in a moment – to even attempt next-level data recovery activities.

Ultimately, the reasons why decryption tools don’t work vary. In the Hazard ransomware incident, the decryptor had a bug. Sometimes gangs provide a tool for the wrong IT environment, also rendering it useless. Or sometimes they just decide to screw over the victims. 

That last situation doesn’t happen too frequently – this is a business for these crooks, and if they earn a reputation for not decrypting data even after receiving a ransom payment, they aren’t going to continue making much money off future victims.

All of these factors should be taken into consideration by infected businesses, and they play into the education piece that GuidePoint and other incident responders bring to victims once they’ve been hit.

“We have made a lot of progress in education and awareness,” Lance explained. “People understand that this is not just a security or IT problem, but it is a business problem, and people are seeing the true impacts associated with ransomware.”

He added that while there used to be more of a stigma attached to disclosing ransomware attacks, “we’re seeing more of a trend where people are saying we are being impacted, so let’s make sure that other people have the opportunity to learn and leverage what we are going through so hopefully they don’t.” ®

READ MORE HERE