On Nov. 2 the Russian-based cyber security firm, Kaspersky, publicly released all 14,000 decryption keys required to unlock files encrypted by the CoinVault and Bitcryptor ransomware. In doing so they gave victims a tool to retrieve files without paying up. Kaspersky considers both the variations of ransomware dead as all the decryption keys required to unlock systems infected with the malware are now in the public domain. Victims can find the Kaspersky ransomware tool here.
Ransomware is a malicious code sent by cyber crooks to lock the victim out of their computer system. Targets can be simple home users or the enterprise-wide area of a major company. The malware might enter the system from an email attachment or through a rouge website. Once activated, users will see a screen with the demands of the thieves. Paying the ransom is usually by BitCoin or Western Union – both untraceable.
Ransomware often masquerade as a notice from the FBI and other law enforcement agencies, claiming the victim has been involved in illegal activity — such as viewing child pornography — in an attempt to frighten people into paying a ransom to unlock their systems. While victims know they have not engaged in an illegal activity, the threat makes them fearful to go to the authorities.
The authors of these malware codes are under arrest and unlikely to refine the codes. Unfortunately CoinVault and Bitcryptor are not the only ransomware code out there. This writer sought out the opinions of three experts in the field, two that assist victims of identity theft as part of their work. We asked a number of questions ranging from what victims should do to how will this release of keys from Kaspersky help fight cyber thieves.
Adam Levin, Chairman and Founder IDT911, had mixed feelings. “While this is good news for potential victims of these virulent types of malware (and once again Kaspersky has earned a well deserved shout out), in light of the persistence, creativity and sophistication of the hacking community I am not sure a long victory dance is warranted.
“The online world is a veritable petri dish for all type of malware and hackers will simply be on to the next. I believe that the ransomware epidemic is less about theft of information and more about data hijacking for purposes of extortion. There would be little incentive to pay if data was purloined and disseminated regardless of payment.”
According to McAfee’s 2015 Threat Report, ransomware is on the rise and “will evolve its methods of propagation, encryption, and the targets it seeks.” In Q1 2015, the company’s security team witnessed a huge rise in ransomware, especially within the CTB-Locker, CryptoWall, TorrentLocker, BandarChor and Tslacrypt malware families. Over 800 command-and-control (C&C) centers of CryptoWall 3.0 have already been discovered. Levin agreed with the conclusions of the McAfee report saying that ransomeware will reach “trend status as we enter 2016.”
Ryan Stolte, Co-Founder and Chief Technology Officer at Bay Dynamics, warned unwary victims thinking they can now easily recover their data. ”Being able to decrypt your valuable information without having to pay a ransom is extremely beneficial however it doesn’t solve the larger problem. If you have been hit with ransomware, it means you are under attack. Someone is inside your network. They know which pieces of information are important to you. And, they will continue to attack.
“Oftentimes, when victims decrypt their data, their first inclination is to move it elsewhere – a place where it will be safe. However, that approach can backfire. If you move your data elsewhere, you are spreading the disease. A criminal is on the inside and you need to figure you how to get them out. Don’t get a false sense of security because you have your data back. The criminal is still there.”
Jay Foley of ID Theft Info Source urged victims to seek professional assistance in cleaning your system, whether you are an individual or business. “The subject of ‘who do you have to inform’ will be high on the list of topics. There will be those who wish to keep it as an internal matter for the company. There will be some who advocate informing the public and or law enforcement. My recommendation is to inform the FBI cyber unit in your area and allow them to guide you as to whom else you may need to notify. The key here is that if you attempt to operate under the radar, so to speak, the hackers will have something else that they can release to embarrass the company.”
Foley mentioned that he just had a victim of ransomware contact him on Nov. 5. He told her to find a local software recovery specialist. They have the ability to test your computer and break the ransomware lock and remove all malware. “After you have your access restored consider all items on your computer that might be of use to the hacker/thieves. This includes online banking and credit card accounts including those used for e-commerce purchases. Watch accounts for any transactions that you did not make. If unauthorized activities occur close that account immediately and notify any companies that auto debit from that account. Finally, consider getting a new email address and notifying everyone to nor trust any emails sent from your old address. The thief may have made copies of your address book and could send out malware to everyone on it.”
All our experts recommend that you remain calm. A calm cool head will help you cover all of the bases as best as possible. Adam Levin’s final suggestion included a prevention tip. “One best practice to minimize the risk of dealing with the trauma and potential dislocation of a ransomware attack is for consumers and employees to use utmost caution before clicking on a link. Another best practice is to frequently backup files.”
Stolte also addressed prevention education. “If you are a business, you need to identify the insiders – employees and third party vendor users – who are making your organization susceptible to these attacks. You need to monitor and analyze how your insiders are behaving daily; what data they access, how do they get access to that data, who do they typically correspond with, etc.” At that point he recommended additional cyber awareness education for all employees and vendors.
Remember that decrypting the malware to access your computer again is only a first step. The thief is still inside your computer like a bad fungus. Get rid of the malware completely then start strengthening your security by using strong passwords, not opening attachments before confirming the sender actually forwarded them to you, and be cautious of those websites that advertise something too good to be true.