Last August we announced that we were part of a project called No More Ransom (NMR), which is a collaboration of law enforcement and IT Security companies. NMR built the No More Ransom portal, which houses several resources and offers visitors ransomware prevention advice and decryption tools. There is also a tool called “Crypto-Sheriff” which gives victims the ability to upload encrypted files for analysis. Here's a video to show how it works:
What makes this project so special is the unprecedented level of cooperation between law enforcement and the private sector in this fight against ransomware. According to the latest Europol statement, there are now 76 partners and seven associated partners in the project. The associated partners that joined since December have contributed these decryptors:
- AVAST has provided the following six decryptors to NMR
- Alcatraz Decryptor
- Bart Decryptor,
- Crypt888 Decryptor
- HiddenTear Decryptor
- Noobcrypt Decryptor
- Cryptomix Decryptor
- ElevenPaths – Telefonica Cyber Security Unit – this digital security company provided the decryptor to the social-media inspired Popcorn ransomware.
- Bitdefender joined late last year and added the Bart Decryptor to the portal.
- CERT Polska operates in the realm of research and incident response in Poland. This group provides the Cryptomix/Cryptoshield decryptor.
- CheckPoint announced their partnership in December and added the Merry X-Mas Decryptor and BarRax Decryptor to NMR.
- Emsisoft is an anti-malware company based in New Zealand. This partner provided the Crypton Decryptor and Damage Decryptor.
One of the founding partners, Kaspersky Lab, also contributed recent updates to the Rakhni and Rannoh Decryptors.
NMR was wildly successful right out of the gate, with 2.6 million visitors to the site in the first 24 hours. Because of the worldwide enthusiasm and interest in the project, NMR created a two-phase expansion process. Phase 1 would focus on Law Enforcement Agencies, and Phase 2 would bring in more private industry. Recent announcements from NMR and Europol indicate both phases have been successful.
A Global Problem
No More Ransom is an international, cross-industry response to a global problem:
- The website is available in 14 languages, with more expected to be added soon
- 83 partners and associate partners represent all continents across the globe
- 10,000 victims from all over the world have recovered from ransomware attacks using NMR
- Majority of site visitors come from Russia, the Netherlands, United States, Italy, and Germany
How did we get to this point? Malwarebytes points out that we've seen ransomware as early as 1989 when the AIDS Trojan would lock autoexec.bat and ask the user to ‘renew the license' by sending money to a PO box in Panama. When Crypto-Locker hit the wild in 2013, it changed the way ransomware operated. Instead of locking down a computer like the old FBI lockdown ransomware that accused you of committing a crime, it would simply encrypt everything it could find so that the data was unusable. It then demanded payment electronically, which was easier for the victim than sending money via snail mail. Criminals created copy-cat versions, criminal enterprises diversified their methods to include ransomware, and malvertising was discovered as an easy and reliable means of infection. Meanwhile, the world was becoming more connected via email and Internet connectivity. Fast-forward a few years and we have Ransomware-as-a-Service with HR departments, recruiting specialists, and help desks that walk the victims through bitcoin payments. The criminals have built a complete infrastructure to support a profitable enterprise.
What You Can Do
Law enforcement agencies and the IT sector are unified against paying the ransom. Payment does not guarantee decryption, you could also lose data to corruption during decryption, and payment encourages the criminals. There also appears to be universal agreement that prevention is much better than relying on data backup to prevent ransomware losses. Deploy a multiple layer security solution that protects all threat vectors, including network, email, web, and application.
Finally, educate yourself as much as possible about ransomware in the context of your business. How can the attack break through your defenses? How long will you be offline if an attack is successful? How much data can you afford to lose? Do you need to make changes in your security or data protection strategies?
Barracuda and AWS
The Barracuda Web Application Firewall protects the NMR partner organization in the AWS public cloud. You can learn more about this partnership in this guest blog post by Raj Samani and this case study (pdf).