Cops, Researchers Fight Ransomware

Tuesday, July 26, 2016 @ 05:07 PM gHale


With ransomware continuing to surge on a worldwide basis, law enforcement and security companies launched a “No More Ransom” program in an effort to wipe out the growing problem.

In the EU, the Dutch National Police and Europol ended up joined by Intel Security and Kaspersky Lab in to spearhead the effort.

RELATED STORIES
Another Decrypted Piece of Ransomware
Ransomware Knock Off a Weaker Version
New Ransomware Decrypter Available
Decrypter Available for Ransomware

Ransomware remains a big threat for EU law enforcement where almost 66 percent of EU member states are conducting investigations into these types of attacks.

While the target is often individual users’ devices, corporate and even government networks suffer from the attacks.

The number of victims is growing at an alarming rate: according to Kaspersky Lab, the number of users attacked by crypto-ransomware rose by 550 percent, from 131,000 in 2014-2015 to 718,000 in 2015-2016.

The goal of No More Ransom is to provide users with tools that may help them recover their data once an attacker locks it up. In its initial stage, the portal contains four decryption tools for different types of malware, the latest developed in June 2016 for the Shade variant.

Shade is a ransomware-type Trojan that emerged in late 2014. The malware spreads via malicious websites and infected email attachments. After getting into the user’s system, Shade encrypts files stored on the machine and creates a .txt file containing the ransom note and instructions from cybercriminals on what to do to get user’s personal files back. Shade uses a strong decryption algorithm for each encrypted file, with two random 256-bit AES keys generated: One is used to encrypt the file’s contents, while the other is used to encrypt the file name.

Since 2014, Kaspersky Lab and Intel Security prevented more than 27,000 attempts to attack users with Shade Trojan. Most of the infections occurred in Russia, Ukraine, Germany, Austria and Kazakhstan. Shade activity was also registered in France, Czech Republic, Italy, and the U.S.

By working closely together and sharing information between different parties, the Shade command and control server used by criminals to store keys for decryption ended up seized, and the keys shared with Kaspersky Lab and Intel Security. That helped to create a special tool which victims can download from the No More Ransom portal to retrieve their data without paying the criminals.

The project is a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.