Threat Management, Malware, Ransomware

Ransomware decryptors and blockers not always a help to victims

Ransomware victims are still finding themselves in the unfortunate position of having to decide wither or not to fork over ransom payments, despite some new tools that have come online designed to help victims both before and after attacks.

The latest organization finding itself in this uncomfortable position was Los Angeles Valley College (LAVC) when it was forced to pay a $28,000 ransom after its computer system was infected with ransomware during the holiday break. After consulting with outside security experts and law enforcement, the school decided its only course of actions was to bow to the cyberattackers' demands.

“In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a payment was made by the District. It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” LAVC wrote in a public statement on the incident.

Barkly and Trend Micro, along with several other organizations, offers decryptor tools that have been designed to decrypt files affected by ransomware. These tools, however, are only useful against certain ransomware variants and cannot help someone hit with a new variety of the malware.

“In general, organizations should not depend upon decryptors as a fallback. Decryptors are, by their nature, developed after a ransomware package has become known, will only be available for a subset of the total ransomware attack universe, and will not help early victims,” said Barkly CTO Jack Danahy, to SC Media.

LAVC has not released what type of ransomware was involved nor returned queries yet on whether it attempted to use a decryptor. Based on what information is available Danahy thought it might be Samsam.

“For companies that have fallen victim to a supported ransomware variant, these types of decryption tools can save the day and help them avoid making the tough call that Los Angeles Valley College just made,” said Trend Micro's Mark Nunnikhoven, VP of cloud research, “It's unfortunate that Los Angeles Valley College ended up paying the ransom but understandable if they had no alternative”

LAVC first noted a problem with its system on December 30 when its IT staff detected the malware. The school quickly implemented its cybersecurity protocol that brought in outside help from security experts and law enforcement. At the same time a ransom note appeared demanding $28,000 be paid in Bitcoin within seven days or the decryption keys would be deleted permanently locking the files. LAVC decided to pay the ransom.

Whether or not to pay the ransom is still a controversial decision, but one action that every cybersecurity executive says will work is backing up a group's data or using a ransomware prevention tool.

Cybereason has rolled out a free Behavioral-Based Ransomware Blocking application that can help discover and stop an attack before it runs its course and encrypts the files.

“With ransomware, prevention is the best approach. You can get more details on the recommended steps from the "The No More Ransom Project" which is a joint effort between leading IT security companies—including Trend Micro—and global law enforcement agencies,” said Nunnikhoven.

School officials said they decryption key offered by the cybercriminals after the payment was made has worked and they are in the process of unlocking the thousands of files affected by the attack.

The FBI and most research firms warn against paying the ransom as there is no guarantee the data will be unlocked or that the attackers will not come back and demand more money. However, another school of thought sees the value in organizations budgeting money to pay ransoms.

Tom Kemp, CEO of Centrify, predicted to SC Media, “After a hugely successful 2016, we'll see additional increases in ransomware. And as a result, companies may start to actually budget money to buy back their own data after a ransomware event. As long as the majority of ransoms remain relatively low, companies will continue to pay them, and they may do so without involving law enforcement to avoid disruption of their businesses and blemishes to their brands.

“There's no guarantee that after paying you will get the key to your data. We've seen incidents where criminals simply demand more money after seeing that you're willing to pay. This is a financially motivated crime and the more money criminals make encourages more attacks,” said Nunnikhoven.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.