Ransomware

A rundown of ransomware master keys released so far

Founder, Privacy PC

Author Bio ▼

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.
August 2, 2017

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Most ransomware devs operate just like real-life crooks and stick with their blackmail until they get paid.

They don’t care about your personal documents, photos, videos and other irreplaceable information, period. No ransom, no files.

At the same time, some strange things may happen. There were cases when extortionists called it quits by releasing master decryption keys for their malicious software, thus allowing victims to get their data back for free. Unfortunately, this scenario is the exception rather than the rule.

There are different speculations and theories on the motivation of these ‘sympathetic’ malefactors. Some researchers believe these threat actors simply drop one campaign to move on with another from scratch. Some consider master key dumps to be a display of compassion.

Yet other analysts say there are constant wars between gangs where one group hacks another and publishes all keys of their competitors. One way or another, such cases do occur once in a while. The stories below cover all instances of these releases reported to date.

Recent ransomware master keys

  • An individual who goes by an online alias ‘guest0987654321’ dumped the RSA private key for XData ransomware on May 30, 2017. The message was posted in a dedicated XData thread on the BleepingComputer forum. Kaspersky Lab promptly used this master key to update their RakhniDecryptor tool and add support for the ransomware in question.
  • The developer of AES-NI ransomware known as ‘thyrex’ made his victims’ day by releasing private decryption keys on May 21, 2017. The dump originally included keys for AES-NI edition using [email protected] contact email. Later on the same day, the crook also published master keys for other variants, which allowed Avast and ESET to cook up ad hoc free decryptors.
  • Whoever the person nicknamed ‘lightsentinelone’ is, he did a huge favor for all Wallet ransomware victims by providing a link to a Pastebin page with a complete set of master keys. This dump took place via BleepingComputer as of May 18, 2017. Avast and Kaspersky quickly picked up this data to create free decrypt tools.
  • In an unexpected move, someone who goes by an online handle ‘checker123’ released the RSA private key for the BTCWare strain on May 3, 2017. Whereas researchers had previously created free decryptors for older variants of this ransomware, two newer ones remained uncrackable until this dump. Michael Gillespie, the author of ID Ransomware service, leveraged the leaked keys to contrive a universal decrypt tool supporting all BTCWare iterations.
  • The once prolific Dharma ransomware became decryptable due to a dump of master keys that occurred on March 1, 2017. A newly registered BleepingComputer forums user, ‘gektar’, posted the corresponding Pastebin link in the Dharma support topic.
  • Anonymous user named ‘crss7777’ released master keys for all variants of the CrySiS ransomware on November 13, 2016. To this end, said a member of the CrySiS crew posted a Pastebin link on the above-mentioned BleepingComputer forums pointing to a page with all decryption keys for the perpetrating program. Having validated these keys, Kaspersky released an updated edition of RakhniDecryptor so that CrySiS victims could recover their data without submitting the ransom.
  • The authors of CryptXXX ransomware strand abandoned their extortion campaign and started RSA private keys giveaway as of July 14, 2016. Plagued users were able to get their keys simply by logging into the infection’s payment server. The relief was only partial, though, because this dump only supported CryptXXX editions that appended the .Crypz and .Cryp1 extensions to hostage files.
  • Another happy ending case took place on May 18, 2016. This time, the architects of the TeslaCrypt ransomware campaign closed the project and provided the master key on their Tor based payment page. A security enthusiast nicknamed ‘BloodDolly’ hard-coded this key into his previously released TeslaDecoder utility so that it could crack all versions of this ransom Trojan.

Meanwhile, security researchers don’t just sit there and wait for the bad guys to throw a bone to their victims. They are busy analysing various ransomware samples for flaws in crypto implementation and have had some success cracking them.

Fortunately, lots of cybercriminals write shoddy code, so a little bit of reverse engineering often suffices to spot weak links in ransom Trojans’ behavior and defang them.

A number of security vendors, including Emsisoft, Avast, Kaspersky, AVG, and Bitdefender, stand out from the crowd in this regard as they have coined most of the free ransomware decryptors. Overall, more than 160 decryption tools out there allow ransomware victims to get off the hook without coughing up Bitcoins.

Quite a few of them support widespread strains that have infected thousands of users and keep wreaking havoc around the globe. These include decryptors for the notorious Petya ransomware, Nemucod, Merry X-Mas (MRCR) ransomware, Linux.Encoder.1, the first-ever Mac ransomware called KeRanger, Jigsaw ransomware, CTB-Locker (website edition), Chimera ransomware, CryptoMix, and Globe ransomware.

The moral of the story is: do not pay from the get-go if you fall victim to ransomware unless of course the hostage data is critical and you are too pressed for time. Chances are that the threat actors will release master decryption keys in a dump like the ones above. Furthermore, security analysts are doing their best to find effective workarounds.

Consider using a tool called CryptoSearch. It automatically finds files encrypted by ransomware and allows you to move them temporarily to a new location.

This technique streamlines the data recovery process if a free decryptor appears in the future. And keep in mind that prevention is better than cure. Do not open suspicious email attachments, apply operating system updates once they are available, and be sure to keep your important files backed up.

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Topics: