Breaking Free: A list of ransomware decryption tools and keys

Security software companies and research organizations are collaborating to break the encryption codes of ransomware variants and free those who have fallen victim to cybercriminals. Unfortunately for many, these efforts take time, and that’s why decryption methods often do not exist for the newest ransomware variants. The good news for those who have been infected by older ransomware is that there may be a decryption method available to recover their data.

If backups are available, the easiest course of action is to simply remove the virus, delete the infected files and restore data that has been encrypted. But that’s not always an option. In some cases, users become infected with older ransomware that is no longer being monitored for ransom payments—so paying the ransom won’t help. If your computer is infected with ransomware, the chart below may help.

Search for the ransomware in the table below and then download the decryption tool from the URL provided.  Some tools will scan for ransomware and prompt you to decrypt the files while others require you to point the decryption tool directly at the encrypted files. You may also have the option to remove the encrypted file after a decrypted version has been created. Please note: The decryption of files could take hours and a large number of encrypted files could take weeks to decrypt. In other words, be prepared to wait.

The list below was compiled in October 2016 and it contains links to decryption tools and or scripts that can potentially set your computer free.

Ransomware Vendor URL
777 Emsisoft Download decryptor
Agent iih Kaspersky Download decryptor
Al-Namrood Emsisoft Download decryptor
Apocalypse Emsisoft Download decryptor
ApocalypseVM Emsisoft Download decryptor
Aura Kaspersky Download decryptor
AutoIt Kaspersky Download decryptor
Autolocky Emsisoft Download decryptor
BadBlock AVG Download decryptor
Bart AVG Download decryptor
Bitman Kaspersky Download decryptor
Chimera Kaspersky Download decryptor
CoinVault Nomoransom Download decryptor
Cryakl Kaspersky Download decryptor
Crybola Kaspersky Download decryptor
CrypBoss Emsisoft Download decryptor
Crypt888 AVG Download decryptor
CryptInfinite Emsisoft Download decryptor
CryptoDefense Emsisoft Download decryptor
Cryptokluchen Kaspersky Download decryptor
CryptXXX Kaspersky Download decryptor
CryptXXX v2 Kaspersky Download decryptor
DeCrypt Emsisoft Download decryptor
DecryptorMax Emsisoft Download decryptor
Democry Kaspersky Download decryptor
DMALocker2 Emsisoft Download decryptor
Fabiansomware Emsisoft Download decryptor
FenixLocker Emsisoft Download decryptor
Fury Kaspersky Download decryptor
Globe Emsisoft Download decryptor
Globe2 TechForum Download decryptor
Gomasom Emsisoft Download decryptor
Harasom Emsisoft Download decryptor
HydraCrypt Emsisoft Download decryptor
Jigsaw MalwareHunterTeam Download decryptor
KeyBTC Emsisoft Download decryptor
Lamer Kaspersky Download decryptor
LeChiffre Emsisoft Download decryptor
LECHIFFRE TrendMicro Download decryptor
Legion AVG Download decryptor
Linux Encoder 1 BitDefender Download decryptor
Lortok Kaspersky Download decryptor
MirCop TrendMicro Download decryptor
Nemucod Emsisoft Download decryptor
Operation Global III Nathan Scott Download decryptor
PCLock Emsisoft Download decryptor
Peyta Leostone Download decryptor
Philadelphia Emsisoft Download decryptor
Pletor Kaspersky Download decryptor
Radamant Emsisoft Download decryptor
Rakhni Kaspersky Download decryptor
Rannoh Kaspersky Download decryptor
Rotor Kaspersky Download decryptor
Shade Intel Download decryptor
SNSLocker TrendMicro Download decryptor
Stampado TrendMicro Download decryptor
SZFlocker AVG Download decryptor
TeslaCrypt Cisco Download decryptor
TorLocker Kaspersky Download decryptor
UmbreCrypt Emsisoft Download decryptor
WildFire Intel Download decryptor
XORBAT TrendMicro Download decryptor
Xorist Emsisoft Download decryptor
Alpha PhishLabs Download decryptor

This list contains keys that can be directly used to decrypt files encrypted by Crypt38, Locker, and NoobCrypt.  

Ransomware Vendor URL
Crypt38 Fortinet Look in your %Appdata%\Microsoft\Windows\request.bin directory
Locker Poka BrightMinds http://pastebin.com/1WZGqrUH
NoobCrypt Jakub Kroustek ZdZ8EcvP95ki6NWR2j or lsakhBVLIKAHg


For more news and information on the battle against ransomware,
visit the FightRansomware.com homepage today.

Warning: Some ransomware attacks are just a diversion

Ransomware computer viruses are becoming more sophisticated—and so are the attacks that make use of ransomware. In some cases, ransomware is used to disable access to a machine so criminals can perform further actions without being tracked. Criminals have also used ransomware to cause chaos and avoid detection after hacking into a network and stealing data.

Ransomware attacks are sometimes used to create a diversion while cybercriminals steal or exfiltrate data. While users and IT teams are busy trying to take machines offline and contain the infection, criminals are busy downloading files from users’ computers.

study on Distributed Denial of Service (DDoS) attacks by Neustar showed that ransomware was found in 15% of DDoS cases. And Dark Reading author Kelly Jackson Higgins says attackers are including ransomware with other types of attacks as well.

Ransomware can be an effective way for criminals to cover their tracks. For example, cybercriminals might install ransomware that encrypts valuable data such as log files in an effort to make those files inaccessible to investigators. Even if the files are later decrypted, investigators may not look for a second attack because ransomware incidents typically receive the most attention. Investigators need to be especially vigilant: In addition to searching for the cause of the ransomware infection, they need to look into whether more attacks were performed on the machine.

In many cases, the best practice is to wipe a machine that is infected with ransomware and then restore its files from backup. This provides assurance that backdoors and other compromised elements of the system will no longer be available for the attacker to take advantage of at a later point.

However, wiping the system can remove valuable evidence as well. In cases where additional evidence is needed, it’s important to take a forensic image of the computer prior to wiping it. This allows investigators to review data from the image when conducting the investigation. In some cases, ransomware decryption tools become available that will allow investigators to decrypt the data from an image. This data could be valuable in determining whether additional data was exposed and whether the ransomware was used to cover up other illegal activities.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware Incident Response: 7 steps to success

Ransomware infections are becoming increasingly commonplace, and companies that put a plan together before an incident are much more effective at combatting this pervasive malware.

Ransomware response can be broken down into seven steps. Here’s a cheat sheet:

Validate
The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, then you’ve been hit.

Assemble
Now it’s time for the incident response team to assemble. Incident response teams often include members of your IT staff, management, public relations, and legal. The incident response plan outlines how each member should be trained on how to respond to a ransomware incident. In some cases, the primary person may be unavailable, and it will be necessary to call in a secondary resource to handle that role.

Analyze
The next step is to determine the scope of the incident, including which networks, applications and systems are impacted and whether the ransomware continues to spread. This is often the role of the IT and security point people.

Contain
Containment actions can take place concurrently with analysis activities. In this phase, infected machines are isolated to stop the spread of the ransomware by disconnecting the computers from the network or shutting them down. The scope often changes when containment is underway, and ransomware is still spreading. This phase ends when all infected machines have been isolated from clean machines.

Investigate
The investigation starts by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images is taken of the affected machines along with documentation of serial numbers and asset identifiers.

Eradicate
The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backupto each of the machines after the evidence on the computers has been preserved. In some cases, organizations may decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first.

A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later. For this reason, it is typically recommended that you wipe the device and restore the operating system and data from backup.

Remediate
The last step is to remediate the problem that the ransomware exploited in the first place. This is often a user training issue, so companies implement more awareness training or coaching of individuals. In other cases, new technology needs to be put in place. If backups were found to be inadequate, the company would back up more data or back up more often. The ransomware incident should result in some improvement actions that the organization can perform to be better prepared for future incidents.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Mamba ransomware takes a bigger bite out of your data

As if encrypting your individual files was not enough, a recently discovered ransomware virus called Mamba encrypts your entire hard drive.

This may sound similar to the Peyta drive encryption ransomware that made headlines earlier this year. But Mamba is a different animal. It differs from Peyta in that it encrypts the entire hard drive while Peyta encrypts only the Master File Table (MFT), the information store that tracks which files are on the drive and where they are located. With Peyta, forensics can recover the data from the drive since the data itself is not impacted. There is also a password generator tool for Peyta that can be used to decrypt the MFT. There is currently no easy fix for the sneaky snake known as Mamba.

Mamba starts by overwriting the Master Boot Record (MBR), the program that tells your computer where to find the files to start your operating system. Mamba’s custom MBR tells the computer to load a ransom demand instead of the operating system when the machine restarts. The ransom demand reads as follows:

You are Hacked! H.D.D. Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 987654

Mamba encrypts the hard drive as well as other mounted drives such as USB flash drives using an AES-256 compatible open source full-disk encryption program called DiskCryptor.  Mamba is primarily distributed through phishing emails, but that could change as Mamba distribution grows. The ransomware currently targets only Microsoft Windows machines of any variety including Windows XP, Windows 7 and Windows 10.

What to do if you’re attacked with Mamba

If your computer is infected with Mamba, your first recovery step is to restore from backup. Mamba encrypts the entire drive so victims will be unable to access the files or operating system without the decryption key. This means that the operating system and all files will need to be restored from backup.

With most ransomware, you have the option of restoring just the files or folders that were encrypted, or the entire machine. The recommended approach is to restore the whole computer, but some cases require the that the device be put back into service as quickly as possible, so a file restore is performed. There is no such choice with Mamba.

There are two options when restoring the system, based on what data is available to restore. Victims with a full system backup can restore the entire system backup to the machine in a single operation. If a full system backup is not available, victims will need to install the operating system and programs and then restore the data. The second option takes more time to perform, and it requires that the user knows which applications were installed on the system, but it will bring the system to a fully functional state with applications and data in the end.

Take the time now to ensure that you have adequate backups so that you can restore your system in case you encounter full-disk encryption ransomware like Mamba. Consider which restore strategy would be ideal for your company, and how much time your employees can go without access to their computers or data. Then craft a backup strategy that meets your recovery expectations.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today

Crucial Elements of an Incident Response Plan

The news is crowded with reports from noteworthy companies of cyber-attacks.  Last year was the year of the data breach and this year is the year of ransomware.  Companies large and small, even those with large security budgets and mature security practices, still proved vulnerable to attack.  Every company will suffer a security incident someday, but not all companies are prepared for it, and preparation will determine what impact a security incident will have on your company.

Will your company weather the attack and come out stronger for it or will you lose customers, brand image, or your company?

“We’re not in Kansas anymore”

This is where your incident response plan comes in.  The incident response plan outlines the activities that will take place in an incident.  Decisions made before an incident are far superior to those made in the heat of the moment when the stress is on.  Plans can be thought through and properly vetted, and this leads to more robust decision making, more effective incident response, less company and customer loss due to the incident, and less stress overall.

“Houston, we have a problem”

The first step in an incident response plan is to define the team of individuals who will conduct and coordinate the incident response.  This is more than just a group of technical wizards or high-level executives.  It also includes PR, legal, security, and third parties.

“To the Batcave”

Once the team is assembled, the next step is to create an incident response plan.  This is not a step that is given to one or two team members.  Rather, those involved on the team should also be involved in the incident response planning effort.

Scenarios or table top exercises can be used to develop plans for specific incidents or to enhance existing plans.  Scenarios such as malware infection, ransomware infection, a lost or stolen device, Distributed Denial of Service (DDoS) attacks, cyber breaches, and social engineering should be specifically addressed in meetings where each team member walks through the actions they would take in that incident.  A facilitator guides the discussion and aids in making sure critical steps are not skipped.  The output from scenario planning is a detailed step by step process for handling specific incidents.

“Who’s on First?”

It is not enough to know what to do.  You also have to know who is going to do it.  Many plans have failed because no one knew who was supposed to carry out the expertly-written instructions.  Each task in the incident response plan should have a designated person or role assigned to it.  Role-specific tasks provide accountability and ensure that there will be someone to conduct those activities during an incident.  None of the tasks identified in the procedures should be overlooked.  It is important to also assign alternates in case the primary person is unavailable when the actual incident occurs.  Once the incident procedures have been properly vetted and approved and the roles outlined, response activities should be practiced regularly so that the incident response team is familiar with their responsibilities.

There is a lot more information available on incident response, but an effective incident response plan requires the right team, well-thought-out instructions, and tasks that are clearly assigned to individuals.  Plans lacking these elements will not provide your company, customers, and employees with the guidance they need when an incident occurs, and it will happen.  Be prepared.

This post is sponsored by AT&T Security.

5 steps to a winning incident response team

People are the core of any incident response effort.  You must have the right people to provide the right response.  Incident response teams should include a diverse set of individuals across the organization including executives, information technology, security, public relations, legal and relevant 3rd parties.  Here is what makes a winning incident response team.

  1. Winning teams have top level support

Top level support is essential in an incident response team, and executives can provide it.  Executives are the ones who will be able to allocate the resources necessary to take action during a breach, and they can rally support and establish budgets for planning and preparation activities.  Executives also bring legitimacy to incident response plans and procedures.

  1. Winning teams have the technical skills

Almost every incident will require some level of technical skill to resolve it and most incidents will require significant technical effort.  Information technology (IT) team members are usually the first to find out about an incident.  Sometimes users report an incident to IT and in other cases, IT learns about the incident through detective security controls such as log monitoring or intrusion detection systems, or antivirus.  IT is also responsible for making technical changes as incident response activities progress.

  1. Winning teams have a security perspective

A keen understanding of the risks, impact, and scope are needed in incident response.  This is where members of the incident response team responsible for security step in.  Security team members take point on validating reported events and determining if they constitute an incident.  They analyze information collected by technology tools and assess the scope and impact of the incident.

  1. Winning teams know how to communicate

Communication, both internally and externally, is a fundamental component of incident response.  Public relations team members communicate with employees, partners, law enforcement, the media, or investors regarding the incident.  They work with the legal team to understand the compliance and contractual liability and cyber breach notification requirements.

  1. Winning teams cross organizational boundaries

Teams may include both internal employees and contractors.  Incident response is not something most companies do every day, and an effective response requires individuals who have the unique skills, tools, and techniques required to address the incident.  Some third parties that may be part of the incident response team include forensics, security consultants, attorneys, insurance, law enforcement, or upstream providers such as Internet Service Providers (ISP), datacenters, or cloud providers.

Team makeup is critical for successful incident response.  A winning team needs to have adequate support, the required technical and security skills, effective communicators, and outside expertise.  So who is on your team?

This post is sponsored by AT&T Security.

Pokemon Go ransomware virus is out to catch’em all

A Pokemon Go-themed ransomware virus has appeared on Windows computers, tablets, and phones. The ransomware is the latest in a series of malicious applications that have popped up in the wake of the global Pokemon Go obsession.

This particular piece of malware is known as POGO Tear and it’s based on open source ransomware code called Hidden Tear. POGO Tear encrypts the files on victims’ computers, changes the extension to “.locked” and then demands a ransom on a screen emblazoned with famed character Pikachu’s picture.

POGO Tear is currently coded to display its ransom message in Arabic only as shown below. The text informs users that their data has been encrypted and instructs them to contact blackhat20152015@gmail.com to decrypt their files. It also thanks them for their generosity.

POGOTear

What’s interesting about this malware is that it incorporates several features not usually found in other ransomware viruses. POGO Tear creates an administrative user account called Hack3r on the victim’s machine and then hides it from the logon screen so the user can’t tell it’s there.

It also creates a network share on the victim’s computer and copies itself to all available network drives. The ransomware automatically executes when Windows starts.

How to recover from POGO Tear
When your computer is attacked with POGO Tear, it’s not enough to simply remove the infected files and restore from backup. Victims must also remove the backdoor administrator account and ensure that it has been cleaned from all removable drives and connected computers before performing restore operations. Otherwise, the administrative account could allow an attacker to install additional ransomware, or even steal data using more traditional attack methods.

It appears that POGO Tear is still in a beta or development stage. It uses a static decryption key which will most likely be replaced with a random key when it’s fully deployed. Currently, files encrypted by POGO Tear can be decrypted with the following AES encryption key: 123vivalalgerie

POGO Tear has a private IP address of 10.25.0.169 coded into it for command and control, indicating that the developer of it is still testing out command and control functionality since a private IP address cannot be directly referenced by other computers over the internet. This will most likely be replaced with a set of internet-accessible dynamic DNS names once the full version is released. POGO Tear does not exist in any other languages besides Arabic and it currently does not specify a value for the ransom.

If you are infected with POGO Tear, you can decrypt your files with the key mentioned above. But be sure to have adequate backups, endpoint protection, and network security controls in place to guard against the future release of the full version.  And if you’re interested in playing Pokemon Go, be sure to download the official version from Niantic when visiting your favorite online app store.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.