This ransomware was only known by names \u201chelpme@freespeechmail.org\u201d and \u201cfile2@openmailbox.org,\u201d after two of the email addresses users were told to contact the malware\u2019s author and to receive payment details for possible decryption.<\/p>\n
Author(s) demanded three bitcoins as a fee. Tech forums and outlets called that ransomware extremely nasty as it had caused a lot of destruction.<\/p>\n
Ransomfails: a few stories on beating #cryptors<\/p>Tweet<\/a><\/blockquote>\n
However, in the Fall of\u00a0last year it was discovered<\/a>\u00a0that this ransomware is prone to brute-force using Kaspersky Lab\u2019s RakhniDecryptor<\/a> utility. It was intended to crack the \u201cvenerable\u201d Rakhni (Trojan-Ransom.Win32.Rakhni) cryptor known since 2013. Most likely \u201chelpme@freespeechmail\u201d ransomware is a derivative of the former.<\/p>\n
So in the end, it is quite possible to give the criminals the sack, not ransom.<\/p>\n
The failure epique of DMA cryptor<\/strong><\/p>\n
An encrypting malware of Polish origin, this one initially featured a ransom note only in Polish. However, with time DMA\u2019s code improved and the English ransom notes were added.<\/p>\n
Then researchers from Malwarebytes decided to go in<\/a>, and found a lot of funny things about DMA.<\/p>\n
Funny thing one: malware authors advertised that they used an AES-256 key to encrypt files and then secured that key via an RSA-2048 cipher, but then researchers discovered that it only employed a custom encryption algorithm, which was quickly cracked.<\/p>\n
Funny thing two: DMA had no protection against reverse engineering, which was excellent news for the researchers.<\/p>\n
Funny thing three: DMA encryption key came hard-coded in one of its binaries.<\/p>\n
Funny thing four: DMA author embedded the decrypter right inside the ransom note, creating dual-mode ransomware that can encrypt and decrypt files from the same source code.<\/p>\n
Even if those smarties who wrote DMA found out they made a mistake by embedding the decryption, their custom encryption algorithm is still a weak one. Fortunately for the victims, it\u2019s an amateur\u2019s work that\u2019s not going to be much of a danger.<\/p>\n
Petya ransomware rocked-n-busted<\/strong><\/p>\n
A nefarious cryptor codenamed Petya (a Russian counterpart for name Pete) had been discovered late last month. It had a peculiar feature: it targeted infected machine\u2019s master boot records, and the only option for the victims was to hand over roughly $400 in Bitcoin for the decryption key.<\/p>\n
A certain individual who goes by the handle @leostone posted an algorithm to generate decryption keys.<\/p>\n
#Ransomware can be beaten, but it\u2019s more about luck and criminals\u2019 mistakes \u2013 not something reliable.<\/p>Tweet<\/a><\/blockquote>\n
As Threatpost points out<\/a>, users can generate a decryption key, providing they can supply the tool with information from their infected drive \u2013 the boot sector and nonce associated with it.<\/p>\n
This may be not an easy task for the average user, but Fabian Wosar, a security researcher at Emsisoft, created an executable over the weekend designed to extract data from infected Petya drives and expedite the process.<\/p>\n
The same Mr. Wosar just recently managed to crack the encryption of HydraCrypt and UmbreCrypt ransomware families<\/a>.<\/p>\n
On Sunday, Lawrence Abrams, a computer forensics expert who blogs at BleepingComputer.com and has been following the ransomware\u2019s saga, put together a guide on how to use the tool. He tested it and successfully recovered the data from the test machine. However, he acknowledged that Petya authors may soon update their ransomware making decryption a much more complicated process.<\/p>\n
You wanted to play a game? Really?<\/strong><\/p>\n
A sadistic ransomware wasn\u2019t just encrypting the files but also deleted them unless the victim paid 0.4 Bitcoin or $150 within an hour. Restarting a PC would also cost 1,000 deleted files.<\/p>\n
The ransom demand contained the image from the \u201cSaw\u201d horror movie franchise and an appropriate line \u201cI want to play a game with you\u2026\u201d<\/p>\n
Game\u2019s over, at least for now<\/a>. Researchers, including security researchers at MalwareHunterTeam and individual computer forensics experts Michael Gillespie and Lawrence Abrams, have analyzed the malware and developed\u00a0a decryption tool that allows victims to recover their files for free.<\/p>\n
Your game was unimpressive, clowns.<\/p><\/div>\n
Now the funniest thing: Jigsaw can be prevented from deleting any files if an affected user goes into their Windows Task Manager and terminates firefox.exe and all of the drpbx.exe processes. In fact Jigsaw gets into the system as a fake Firefox browser installation file.<\/p>\n
Then there\u2019s only an encryption problem, which is beaten by the aforementioned decryption tool.<\/p>\n
Still not common<\/strong><\/p>\n
It\u2019s not common for ransomware criminals to be outsmarted. In fact, it is quite a rare occasion. More often users and businesses are facing less than exciting prospects of paying ransoms without a guarantee of getting their files back.<\/p>\n
Some strains of ransomware are plain impossible to decrypt without knowing the keys, simply because the encryption algorithm they use are too strong.<\/p>\n
So, by default it is much more reasonable to take preventive measures and not let the beasts in.<\/p>\n
![\"saw\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/04\/06020451\/saw.jpg\")