Around the world, a small but dedicated community of experts are working to combat ransomware. They analyze ransomware strains to find flaws hidden deep within the code, and use these flaws to create free ransomware decryption tools that allow victims to recover their encrypted files without paying a cent to the cybercriminals.
To the criminals, the decryption tools are a menace, a threat to their massive illegal profits; to the victims, they’re often the only means of retrieving their data without yielding to the bad guys.
There’s just one problem: most people are completely unaware that these free decryptors exist.
To pay or not to pay, that is the question
It’s been a busy year for ransomware. Over the course of 2019, thousands of people, businesses and public entities throughout the United States have been affected by ransomware. In many cases, the victims have been forced to face a very difficult decision: give in to the demands of the cybercriminals and pay the ransom; or refuse to cooperate with the hackers and deal with the incredibly costly downtime.
Law enforcement agencies and cybersecurity companies generally advise against paying the ransom. Cooperating with cybercriminals not only incentivizes further attacks, but it’s also believed that the ill-gotten gains may be used to fund more serious crimes such as drug manufacturing and human trafficking.
This hard-nosed stance might look good on paper, but in the real world, things aren’t so black and white. If backups fail or operations are severely affected, paying the ransom can be a strategic and cost-effective option. Some, like the government departments in Riviera Beach and Lake City, went this route, collectively paying cybercriminals more than $1,000,000 in June 2019 to regain access to their encrypted systems.
Of course, they’re not the only ones who have coughed up the money. Many ransomware victims choose to pay the ransom – and, from a business perspective, it’s easy to see why. Ransomware can cause significant productivity loss and lead to missed business opportunities, which can have a major effect on revenue. In fact, research from business continuity firm Datto found that the average cost of downtime is more than 10 times higher than the average requested ransom amount. Paying the ransom can reduce disruption, minimize losses and allow businesses to resume operations as quickly as possible.
Free ransomware decryption tools
Lack of public awareness of alternative recovery methods may also be contributing to the high rate of ransom payments. In the U.S., there are no official channels of communication between law enforcement agencies and cybersecurity companies, which makes it challenging for those involved in the fight against ransomware to coordinate their efforts. It also makes it difficult for organizations to effectively disseminate information that could help victims recover their files.
As a result, many victims fail to realize that there’s an entire community of cybersecurity experts dedicated to creating free ransomware decryption tools, which can decrypt about 25 percent of all ransomware strains. Most of these decryptors can be found on the following free, non-commercial services that enable people and organizations to unlock ransomed data without paying the ransom.
No More Ransom
No More Ransom is a collaborative initiative that aims to disrupt the ransomware model. Created by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and McAfee, No More Ransom has grown to include 150 partners and is now home to decryption tools for 109 different ransomware strains. Since its inception in July 2016, No More Ransom has helped more than 200,000 ransomware victims recover their files for free and prevented more than $108 million falling into the hands of criminals.
No More Ransom is quick and easy to use. Ransomware victims simply upload an encrypted file and/or the ransom note and/or details from the ransom note to the online portal. The website checks for a decryptor for that particular strain of ransomware, and directs the user to a download link if a decryption tool is available.
ID Ransomware is the brainchild of Emsisoft Researcher Michael Gillespie, who received the FBI Director’s Community Leadership Award in recognition of his efforts in combating ransomware.
Much like No More Ransomware, ID Ransomware allows ransomware victims to upload a sample encrypted file and/or a ransom note and/or the attacker’s contact information. The service then identifies the strain of ransomware and provides a free decryption tool if one is available.
ID Ransomware has a couple of advantages over No More Ransom. Firstly, it allows users to set up a notification for non-decryptable cases so they can be notified if it becomes decryptable in the future. Secondly, and most importantly, ID Ransomware confirms whether Ryuk cases are decryptable whereas No More Ransom does not. Ryuk is the strain of ransomware that has been plaguing US cities, schools and other public entities in recent weeks. Antivirus company Emsisoft has created a decryption tool that can decrypt Ryuk in about 3 to 5 percent of cases.
Breaking the ransomware cycle
As long as ransomware remains profitable, it will continue to be a persistent threat to individuals and organizations around the world. Therefore, the key to breaking the ransomware cycle lies in discouraging victims from paying the ransom.
Services such as No More Ransomware and ID Ransomware play a critical role in reducing the profitability of ransomware. Raising awareness of these services may enable more victims to recover their encrypted data for free, stifle the flow of cash that is currently streaming into the hands of cybercriminals and disincentive ransomware attacks in the future.