Ransomware is the number one cyber threat right now. Many threat actors have changed over the years from using Ransomware as an opportunistic attack to more targeted enterprise focused. Most variants use asymmetric encryption meaning the threat actor holds the private key forcing you to either pay the ransom or lose your data. A third option is to break the encryption, but that is … really hard to do.
To battle this ongoing threat, the No More Ransom project was created. Its goal is to provide a tool that you upload encrypted files to and identify any possible decryptor. If you are lucky, a decryptor will be provided allowing you to recover your data. Decryptors are created by various members of No More Ransom including Kaspersky, McAffee and law enforcements. Bleeping computer posted about this group HERE. That article also includes links to the tool.
My thoughts regarding if you require a decryptor is you need to step back and address the bigger picture. First, you need to identify how ransomware got into your network and on your endpoints. Getting your data back is great but not fixing the problem that caused ransomware will lead to future infections that you won’t have the decryptor for. You need to SCOPE the situation, CONTAIN where the impact has occurred and REMEDIATE any impact systems.
The second thing you need to consider is many ransomware infections do more than install ransomware. They also install back doors, key loggers, etc. or sometimes just a distraction to the SOC while another attack is occurring. You need to analyze an impacted system along with your security logs to identify any other incidents. I’ve posted about joesandbox being a free malware analysis tool HERE via my RSA talk.
Third, you need to validate your data recovery is functioning and not impacted. It is possible the data recovery tool won’t work, or you will possibly lose some data during the recovery process. It is common for organizations that pay a ransom to still lose a large amount of data.
Finally, you need to consider any compliance or other regulation impact regarding what you need to announce. Some compliance requirements require notification of any compromise even if the data is being recovered. It is also a good time to contact your cyber insurance agent.
In short, its great you may be able to recover your data post ransomware infection however, you need to launch a full incident response and be careful about the data being recovered before putting it back in play. Hope this helps and thumbs up to the No More Ransom group that has recovered data for millions of victims.
