You are viewing a single comment's thread from:

RE: Matthew Rosenquist, Cybersecuirty Strategist is on Steemit!

in #introduceyourself8 years ago (edited)

Hey @mrosenquist - great article; very insightful (and how about the beautiful Trevi Fountain in Rome? I was lucky enough to see it, too - but unfortunately at the time in late 2012, it was under serious renovation and it was partially covered in tarps.)

Anyway, I was wondering - given your experience - I'm assuming you've run into clients who have deployed some infamous Bitcoin-based ransomware within their network environment? Is there any plausible way to defeat this once it's been unleashed, or are you completely at the mercy of encryption? (other than restoring back-ups, of course.)

(and - full disclosure - I work in the IT field myself, and I was recently responsible for unleashing one within our company. Luckily we back everything up, so it really wasn't a big deal, but some of my clients who opened the infected e-mail from me were not so lucky.)

Sort:  

@internets you are asking a difficult but important question. Older versions of Ransomware were not coded very well. They were easily cracked by security researchers. However, in the past year the quality of the malicious code has significantly improved. That tends to happen when money is on the line. Modern variants of ransomware are very robust and manage asymmetric keys expertly. They are virtually impossible to break on the client side. It is possible if their Command and Control infrastructure is compromised or seized by authorities and the private keys are recovered. This happens, but not often enough.

A number of security organizations are now pooling their resources to create tools for keys which have been recovered. First you need to determine the variant a victim has (not that easy as they may claim to be something different) and then apply the private key in a way to recover files but not harm the system. The good news is, a site is now up to do both. Check out https://www.nomoreransom.org/

Again, they don't have the private keys for every variant, but victims might get lucky. They do have a checker to easily identify the variant. I know some of the researchers behind this site. They are from top security companies in the industry and are serious about addressing the scourge we call Ransomware. - Hope that helps.

Wow, thanks so much for the insight. I'm glad I asked.

So, once you run this software to check the variant of the key - it's simply matter of deploying the key, and you're golden? I'm guessing there is a way to more or less brute force it by simply running a batch file of every key in possession? (which, I'm guessing would would also be just about instantaneous - once all the keys are compiled?)

Fortunately, I have never had to run the tool myself so I don't know how the decryption process works. But I imaging due to the different ways ransomware can work, I assume the decryption process may differ between variants. Check out the How-To guides on the Tools page: https://www.nomoreransom.org/decryption-tools.html

Great, thanks - and thanks again for the input. I'll be looking forward to seeing more of your posts on here. Cheers!

@internets reach out any time! You can follow me on Steemit, Linked-In (where I tend to post throughout the day), and Twitter. Good luck with the ransomware recovery effort.