New Decryption Tools Aid Ransomware Fight

New Decryption Tools Aid Ransomware Fight

Security firm AVG has fired back in the long-running tit-for-tat battle with the ransomware black hats by releasing a new tool to decrypt files locked with the Bart variant.

Malware analyst Jakub Kroustek explained that the new tool would work on all versions of the ransomware seen “to date.”

“Rather than rewriting files with their encrypted versions, like other ransomware families do, Bart moves each file to a separate password-protected archive (ZIP file), then deletes the originals. The encrypted files are easy to recognize, because they’re ZIP archives, denoted by .zip extensions,” he added.

“The trick is they’re password-protected, by a unique (and looong) password. But never fear, AVG’s Bart decryptor works by comparing a single encrypted file with its unencrypted original.”

Bart ransomware first appeared last month when Proofpoint spotted the new strain, which appeared to come from the same authors as Locky and banking trojan Dridex.

It typically arrives in the form of a spam email urging the recipient to open a malicious JavaScript attachment masquerading as ‘photos'.

Its payment portal is also almost identical to that of the Locky ransomware. Users have been hit with a $2000 bill to get their files unlocked.

It encrypts the victim’s files before even connected to a C&C server, hinting that the malware might be able to encrypt behind corporate firewalls that would otherwise block such traffic.

In related news, Palo Alto Networks has released a new decrypter tool for victims of the PowerWare variant, also known as PoshCoder.

The malware itself uses ‘.locky’ filename extension on encrypted files and employs the same ransom note as the Locky family.

The scale of the ransomware problem is still unclear, although Trend Micro claims to have blocked in excess of 100 million threats for its customers around the world in just the past six months alone.

Despite the availability of such decryption tools, prevention is the best approach to this type of threat.

Users are advised to put in place layered security covering endpoints, gateways, servers and networks, and arrange back-up along a classic 3-2-1 rule: at least three copies in two different formats with one copy off-site.

Source: Information Security Magazine