A new partnership between Dutch National Police, Europol, Intel Security, and Kaspersky Lab aims to help users recover their data after being victimized by ransomware attacks. Dubbed No More Ransom, the initiative offers victims informational resources to deal with attacks and tools to help them recover their data.
“For a few years now ransomware has become a dominant concern for EU law enforcement,” Wil van Gemert, Europol’s deputy director operations, said in a statement. “It is a problem affecting citizens and business alike, computers and mobile devices, with criminals developing more sophisticated techniques to cause the highest impact on the victim’s data.”
The No More Ransom online portal will provide users with information on what ransomware is, how it works and, most importantly, how to protect themselves.
Your Money or Your Data
A ransomware attack is one of the most damaging types of malicious intrusions a network can experience. Ransomware is malware that locks victims’ computers or encrypts their data, and then demands ransom before giving control over the affected devices or files back to the users.
While the targets are often individual users’ devices, corporate and even government networks can be affected as well. The number of ransomware victims has risen by 550 percent in recent years, from 131,000 in 2014-2015 to 718,000 in 2015-2016, according to Kaspersky Lab.
We spoke with Jornt van der Wiel, a security researcher at Kaspersky Lab, about the effect such attacks can have on enterprise IT departments. He told us that ransomware is particularly effective at attacking businesses. That’s because cybercriminals are aware that organizations are more likely to pay ransom since the data held captive is sensitive and crucial for business operations to continue, Van der Wiel said.
“In addition, some smaller organizations tend to pay because restoring backups costs are sometimes more than paying the ransom,” he said. “Therefore we are providing tools at the No More Ransom Web site that will help those businesses infected by ransomware.” In its initial stage, the Web site will provide users with four decryption tools for different types of malware, the latest developed in June 2016 to address the Shade ransomware variant.
Throwing Shade
Shade is a particularly nasty Trojan that emerged in 2014. The malware is spread by malicious Web sites and infected email attachments. After getting into a user’s system, Shade encrypts files stored on the machine and creates a .txt file containing the ransom note and instructions from cybercriminals on how to get the personal files back.
Shade use a strong decryption algorithm for each encrypted file, generating two random 256-bit AES keys: one to encrypt the file’s contents and the other to encrypt the name of the file. Authorities have managed to locate and seize the Shade command-and-control server, which contained 160,000 decryption keys for the Trojan. The keys are now available through the No More Ransom portal.
“The appearance of decryption tools is just the first step on this road,” Van der Wiel said in the statement. “We expect this project to be extended, and soon there will be many more companies and law enforcement agencies from other countries and regions fighting ransomware together.”
