Anything that would work this way doesn’t qualify as encryption.
The most common example is Rotate 13 which is merely intended to slightly obscure something, like the answer to a puzzle or something a bit offensive. Kind of an alternative to the 2-click rule here.
One simple encryption system where the encryption method is also the decryptoin method is XOR encryption. You exclusive-or the data with the key and you get the encrypted data. To recover, just exclusive-or with the key again.
But note you have to have the key! If you have a copy of the original file and the encrypted file, then you XOR those to get the key. And if that key is used on the other files, then you’re good.
One ransomware apparently did this, making it easy to crack. But it’s not as simple as you imply.
(Way too many “legitimate” programs use XOR encryption which leads to a complete lack of security. This sort of stuff was consider trivial to break by WWII standards.)
Although 99.9% of malware is going to hit Windows; Linux is not completely clear**: ** there was an easily defeated ransomware, ELF/Filecoder.A mentioned on Wikipedia:
Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.
A recent outbreak of ransomware was spread by the ad networks used by tons of really big, mainstream, and otherwise reputable websites. Protecting yourself from this kind of attack basically requires you to either disable Flash player, or use a browser like Chrome that “sandboxes” Flash to prevent malicious code from affecting your system. Even religiously updating Flash won’t necessarily protect you, since there are a lot of exploits that are spread widely before Adobe manages to patch Flash.
I don’t go quite that far, instead I rely on adblockers and the “click to activate flash” functionality built into Firefox. And a mix of cloud and more traditional off-site backups.
I got exactly the same problem. I had for many months an old and failing laptop with Windows xp, Internet Explorer 6 and hardware ready to disintegrate. It was an MSI 7 or more years old. I believed that statistically I was running a very low risk, until this or a similar virus hit me. It encrypted all files, and fake messages started appearing saying that they were encrypted for my safety and that I needed to pay for a special key. I don’t know if the virus went in from the IE or the Mozilla Firefox, because the malware was opening the Mozilla every time I was starting the computer. I discussed the problem with my computer technician, and he said that if I didn’t have too many important files I shouldn’t be too concerned. I permanently put the computer to disuse, as I was to get a new one. After that I refilled the new one with the needed files taken from others, but I have two storage devices infected now. How should I deal with them? My antivirus does not find any harmful element in them, and so I was fooled and opened the external hard disk in my new computer, where the files were encrypted. Fortunately the virus didn’t pass to the new computer. Also, another side effect of the virus was the disabling of my gmail account. From then Google pops up a message whenever I try to log in, saying that Google cannot confirm my identity. I tried to recover the account with as much information as I remembered, then google sent me an automatic e-mail, which said that if I was unsuccessful in recovering it, I could send them back a reply. I then sent a reply back, stating additionally that I have visual impairment and consequently better not to help me with verification images, and even better to correct the problem remotely. No improvement from then, three weeks ago.
I see no reason to assume this. It’s not like ransomware companies are listed in the Better Business Bureau, and they only get repeat business at all if they break their word, not if they keep it. Oh, they might unscramble the files when you pay, but what incentive do they have to not scramble them again a few months or a year down the line?
Oh yeah, it’s totally paying the danegold but if the ransomers just took your money and didn’t decrypt your data, then after a while people would know their options are pay and lose their data or don’t pay and lose their data.
So you can actually pay to get the decryption fixed?
How does this scheme work, legally? How is it that you end up paying real money to some real company or group (meaning, the hacker is exposed) and someone is not arrested?
But it’s a Tragedy of the Commons. How many different outfits are there pulling this scam? For any one of them, the incentives are greater to rip “customers” off than to play “fair”. Let’s say that you’re one of 100 scammers. If one scammer out of 100 doesn’t play fair, that might make people 1% less likely to pay. But it’ll boost your business personally by a lot more than 1%. Sure, you’ll be hurting all of the other scammers, but do you really give a damn about that?
Not that I’ve deeply researched this but, from what I’ve read, you will probably get your data back if you pay up for the reasons stated above: the people running this malware want people to pay and news stories about organizations paying (and getting their data back) are good for business. Besides, there isn’t really a down side for them to give you the key. It’s not as though they have a vested interest in keeping your system locked beyond extorting money.
Bleeping Computer’s report on the Coverton malware sounds as though not getting your data back is pretty rare (in the general ransomware world) and that that particular failure to decrypt may be poor programming as much as malice.
I don’t see how. If you have my data and I give you $300 and you say “Haha, loser”, I’m not likely to give you more money. But if you give me my data and, a year later, I get infected again I at least have reason to think that paying a second time makes sense. There isn’t really a way I see for you to make MORE money off me by refusing to unlock my data than you would by giving me the key.
However, the people doing this are likely in Russia or Uzbekistan or Moldova some such place where it is nigh impossible to get to them for prosecution.
This is a common misunderstanding and completely not true. In fact, Bitcoin keeps a very clear transaction list of who has what (although you can use a pseudonym which obscures who you are but that is a poor way to remain anonymous). That is how it works and that list is public to anyone who wants to look at it.
If you wish to engage in anonymous Bitcoin trades you have to work at it assiduously and you HAVE to use something like TOR to even have a chance at it.
The attackers have two reasons not to play fair, in two different ways: First of all, it’s a lot easier to write code that will just trash the data completely than it is to actually encrypt it, but they look identical until you get the key (or not). So what’s to stop the attacker from just using a data-trasher and claiming that it’s encrypted?
Second, even if it is actually encrypted, what incentive does the attacker have for not doing it again the next month? Maybe you won’t fall for it again, but you certainly won’t fall for it again if they don’t try.
Yes, exactly, which is why the attackers won’t play fair. They’re going to keep on attacking you as ling as you keep on paying, until eventually you get to the point where you can’t afford to pay any more. The net result is that once you’ve started down the road of paying them, the inevitable result is that you’re going to pay as much as you can possibly afford, and still lose your data.
Why would it boost their business to not release the files? It costs them nothing beyond the time to send you the decryption key, a tiny fraction of the total effort in running the scam. I don’t see much of a tragedy of the commons either. You can always Google-search the specific brand of ransomware that has your files, and see if that one has a reputation for delivering as advertised (even if some others don’t). Indeed, they’ll probably encourage you to do just that if you have doubts.
You could write “ransomware” that just overwrites all the files with garbage, and requests a ransom in exchange for a key that doesn’t exist. That’s almost as much work as writing real ransomware, though, for a lower payoff once it becomes well-known that any payments to your group get nothing in return.
There’s no reason to expect that paying once stops them from ransoming your files again later, if you give them the chance. If you don’t improve your security after the first incident, then by that point you almost deserve it (or at least, your IT staff deserve to get replaced). I guess you could ask for a frequent-shopper discount…
In any case, there’s no need to speculate. Almost all existing ransomware has been observed to deliver as promised, per others’ comments earlier.
Nothing, but after the first few people fall for it, some security researcher will reverse-engineer the malware and confirm that W32.FakeRansom.Scam irretrievably destroys your data. Then some tech journalist will write an article about that, and when you (or the IT guy you hired after you noticed the problem) Google “W32.FakeRansom.Scam”, you’ll discover that paying the ransom is pointless. At that point, their revenue goes way down.
It’s just not that much work to write a computer program that generates a key, encrypts files with it, and sends the key to your command-and-control server. In particular, that’s a lot less work than deploying your malware onto millions of computers. So for the incremental effort, you might as well do it “right”.
That makes no sense. If you keep being vulnerable, then you’re going to keep getting ransomed, regardless of whether you pay to decrypt your files, or restore them from a backup, or give up and recreate everything from scratch. The solution to that is to fix the vulnerability.
You seem to be hoping that if a particular victim gets a reputation for not paying, the scammers will leave him alone. That seems unlikely (a) because the ransomware is mostly distributed pretty indiscriminately, and there’s no reason to believe that the work to exclude known non-payers would be worth the trouble, (b) because many groups operate many kinds of ransomware, and I’m pretty sure they don’t share a “do not call list”, so that failing to pay one doesn’t protect you from all the others, and (c) because it’s in the scammers’ interest to punish non-cooperating victims, as a warning to other victims.
And again, there’s no need to speculate about what will happen here. Lots of ransomware is operating now, and for the most part, people who pay ransoms get what they pay for. I’m explaining why I think what’s happening does, not speculating on what will.
That would be true if there were many different operators (script kiddies) of ransomware, but I’m under the impression that ransomware was mostly operated by large-scale hacker organizations. I remember hearing an account of a ransomware victim, and it seemed like she was interacting with a call center (basically) in Russia who was helping her make the payment, and even decrypting some files as a show of good faith.
How the heck would anyone know what ransomware company they’re dealing with? Because they tell you? Right, because they’re obviously trustworthy. If there’s one Googleable ransomware company that really does decrypt the files, then what’s to stop all the rest from just claiming to be them?
And again, just decrypting the files isn’t playing fair. To truly play fair, the company would have to decrypt the files, and then remove their malware. Why would they do that?