Ransomware Decryption Intelligence

Ransomware continues to be the most profitable method of monetising unauthorised access to compromised networks. It is the biggest threat to private and public sector organisations, large and small. In the last three years, we have seen hundreds of hospitals hit by ransomware, as well as other critical infrastructure sector organisations, such as the Colonial Pipeline or JBS foods. Slowing the ransomware epidemic requires a multi-pronged approach. While this includes arrests, action against illicit cryptocurrency transactions, sanctions, or – the topic of this blog – decryption.

By reverse engineering the encryption implementation utilised by a ransomware variant, researchers can exploit a cryptographic flaw to decrypt ransomware. This does make it possible to recover files without paying a ransom for the decryption keys. When the ransomware group eventually realises, or learns via public reports, that their ransomware is fundamentally flawed, they often either abandon it, fix the flaw, or start fresh with a rebrand.

Four scenarios of how ransomware variants are decrypted are outlined below:

Scenario 1

A researcher figures out how to decrypt a ransomware variant
The flaw in the ransomware is disclosed publicly via a free decryption tool
Victims can recover files locked by the ransomware variant with the encryption flaw
The ransomware operators noticed the flaw and fix issue (sometimes in <24 hrs)
Ransomware gang continues attacks