Ransomware victims can take advantage of two new tools released by security firms that can recover data for free. As a result, victims won't even have to consider whether they should pay criminals a ransom in an attempt to recover their forcibly encrypted data.
Moscow-based Kaspersky Labs has released a free decryptor for Jaff ransomware, while Prague-based Avast has released a free decryption tool for EncrypTile ransomware.
Both firms urge victims to first disinfect their PCs using security software before attempting to download and run any decryptors.
The Jaff decryptor was built thanks to Fedor Sinitsyn, a senior malware analyst at Kaspersky Labs, discovering a weakness in the ransomware. The free decryption tool for unlocking files - RakhniDecryptor version 126.96.36.199 - is one of many being distributed via the No More Ransom project, of which Kaspersky Lab is a member.
"We have found a vulnerability in Jaff's code for all the variants to date," Sinitsyn tells Information Security Media Group. "Thanks to this, it is now possible to recover users' files (encrypted with the .jaff, .wlu, or .sVn extensions) for free."
Jaff is a new strain of ransomware that "came out of nowhere with a huge bang" last month, write Cisco Talos researchers Nick Biasini, Edmund Brumaghin, Warren Mercer and Colin Grady in a report published last month.
Locky Declines, Jaff Rises
The ransomware is being distributed via "multiple high volume spam campaigns" by the Necurs botnet, which had formerly distributed Locky ransomware, they say (see Spotted: Surprising Lull in Locky and Dridex Attacks). The researchers say it's possible that Jaff is the work of the Locky gang, but note that Jaff has few code-level similarities with Locky, meaning it could also be the work of a different group entirely.
The spam emails have a PDF attachment "with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware," the researchers write.
"Similar to what we saw with recent Locky campaigns, when the PDF attempts to open the embedded Microsoft Word document, the victim is prompted to approve the activity," the researchers write. "Requiring user interaction to continue the infection process could be an attempt to evade automated detection mechanisms that organizations may have deployed as no malicious activity occurs until after the user approves. In sandbox environments that are not configured to simulate this activity, the infection may never occur, and could result in the sandbox determining that the file is benign when the reality is that it is malicious, the infection was just simply not triggered."
If Jaff ransomware successfully encrypts a PC, it demands from 0.5 to 2 bitcoins - from $1,500 to $5,000 at current market rates - Kaspersky Labs' Sinitsyn says. He says the greatest number of Jaff victims have been seen in China, India, Russia, Egypt and Germany.
As of Thursday, at least one bitcoin address associated with the ransomware had received 10.49 bitcoins - worth about $26,000 - via 155 separate transactions. It's not clear what that might represent, although some ransomware gangs will allow victims to negotiate a discount (see Ransomware Gangs Take 'Customer Service' Approach).
EncrypTile victims can also avail themselves of a free decryption tool.
Dominika Kalašová, a spokeswoman for Avast, tells Information Security Media Group that Ladislav Zezula, a reverse engineer for Avast, "found a weak spot in the encryption scheme" that allowed the company's security researchers to build a tool to crack the crypto used by EncrypTile.
Avast's EncrypTile decryptor is one of 20 free decryption tools the security firm offers. The company joined the No More Ransom project in April.
Files encrypted by the ransomware have "EncrypTile" added to the filename, before the extension, Avast says. For example, "invoice.pdf" will be encrypted as "invoice.pdfEncrypTile.pdf" and then the original file deleted.
A sample of the ransomware lock screen published by Avast demands a ransom payment of 0.0415 bitcoin - worth about $100 at current exchange rates - to unlock files, and gives victims three days to pay.
The bitcoin wallet identified in the sample posted by Avast received a single payment in that exact amount on May 29. Many ransomware developers use a unique bitcoin address for each infection, to more easily trace when victims have paid.
Avast says the ransomware references a whitelist of Windows process names, and kills anything that's not on its list whenever it tries to start, to foil the use of security or diagnostic tools that might be used to arrest the infection. The security firm says the ransomware also kills the "consent.exe" process in Windows that enables a user to approve or decline changes to a system. "As a result, no administrator access can be granted and the user is stuck in the Admin Approval mode, unable to carry out any actions as the administrator," Avast says.
The No More Ransom site allows ransomware victims to upload an encrypted file, and will then identify if a free decryption tool can help (see 'No More Ransom' Portal Offers Respite From Ransomware).
When encryption tools are not available, however, the refrain from security experts and law enforcement agencies such as the FBI is to never pay. Instead, experts urge individuals and organizations to maintain offline backups of critical data and to regularly test-restore those backups to ensure they work.
"The general advice is not to pay the ransom," according to the No More Ransom project website. "By sending your money to cybercriminals you'll only confirm that ransomware works, and there's no guarantee you'll get the decryption key you need in return."
Efforts such as No More Ransom are designed to help victims not even having to consider whether or not they'll pay. The project counts numerous security firms and law enforcement agencies as members, and it uses equipment provided by Barracuda Networks and hosting from Amazon Web Services.
"No More Ransom is an initiative whereby likeminded individuals with the same outlook on the world today say, we're going to work collaboratively, we're going to put all of the commercial pressures to one side and we're going to collaborate on identifying on where the criminal infrastructure is held," says Raj Samani, chief scientist at anti-virus firm McAfee.
Up to Victims
Many legal experts are often careful to note that the final decision - to pay or not - remains up to affected individuals (see Ransomware: Is It Ever OK to Pay?).
Last month, in the wake of WannaCry, a tweet from Britain's National Crime Agency appeared to suggest otherwise.
Reached for clarification, an NCA press officer told ISMG that there do not appear to be any British laws that would penalize victims who pay a ransom. "I'm not aware of anything in law," he said. "Obviously our guidance remains not to pay as you're unlikely to get your files back even if you do."
That was especially true for WannaCry, because coding errors meant that attackers would have to field victims' payments manually, making it unlikely that they would honor such requests (see Teardown: WannaCry Ransomware).