Ransomware Attack and how to decrypt your files without paying?

On May 12th, 2017 the cyber world witnessed one of the biggest attacks in the history of Internet. It was caused by a ransomware, going by the name of WannaCry which stormed through the Internet affecting almost every country with its epicenter being Europe.
This ransomware was developed to attack those systems running Windows OS. It was discovered by the NSA at first and then made publicly visible by the Shadow Brokers team.

What is a Ransomware?

It is a type of malicious software which carries out its attack from crypto virology because of which it blocks all the access to data in a system and demands a ransom to be paid through bitcoins in order to unlock the system and all the available data. They encrypt a user’s data, making them inaccessible and demand a ransom to be paid in order to decrypt them. It affects computers Master File Table or the entire hard drive. These attacks are carried out through a Trojan file which disguises itself as a legitimate file.

The current ransomware WannaCry spread throughout the Internet using the disguise of a Windows ‘Critical’ patch file that the company had released on March 14th, 2017. It attacked nearly 75000 users in over 99 countries and using 20 different languages to extract money from the users. Several large companies in Europe as well as hospitals and parts of British National Health Service were terribly affected. The ransomware creators have targeted their attack to anyone and everyone using Windows OS.

Why a ransomware mostly goes undetected by an anti-virus?
  • 1   Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
    2.  It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
    3.      It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
    4.   It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals.
    5.      It features Fast Flux, another technique used to keep the source of the infection anonymous;
    6.    It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
    7.   It has polymorphic behavior which gives it the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
    8.     It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.

How to decrypt your data without paying the ransom?

Cyber security researchers are working hard to derive solutions to the problems caused by the numerous types of Ransomware in the world. Unfortunately most of these have proven to be unbreakable. However there are still few of them with improper coding in the crypto ware strains which the researchers were able to crack.

There are a few ransomware decryption tools that can be used. However you need to identify the type of the ransomware that you have been attacked by before using them.

What do you do if your computer gets infected with ransomware: do you pay up or try to find an alternative solution?

As new types of ransomware emerge, researchers decrypt some strains and others get new variants. There are tens or hundreds of them. Just like in a cat and mouse game, the chase never stops.

Believe it or not, there is a silver lining to ransomware’s popularity: the quality of the malicious code is steadily decreasing. As a result, cyber security specialists can crack the code faster and give victims a change to retrieve their data without further funding attackers.

Unfortunately, low quality ransomware also endangers the affected data: one error in the code and it can all be erased instead of encrypted. But that’s rare.

      How to identify the ransomware you’ve been infected with?

Sometimes, the ransom note says what type of ransomware your files have been encrypted with, but it can happen that you don’t have this information at hand. Many of these extensions signaled new types of encrypting malware, for which there are no decryptors available.
If you need help with identifying what ransomware your system has been infected with, there are two tools you can use:

·         Crypto Sheriff from No More Ransom
·         ID Ransomware from MalwareHunter Team.

Getting back to our list of decryption tools…

As a disclaimer, you should know that the list below is just a starting point. Use it, but do a bit more research as well. Safely decrypting your data can be a nerve-wrecking process, so try to be as thorough as possible.

Some of the decryption tools mentioned below are easy to use, while others require a bit more tech knowledge to break. You can try asking for help on one of these malware removal forums, which feature tons of information and helpful communities.

·         OpenToYou decryption tools
·         Globe3 decryption tool
·         Dharma Decryptor
·         CryptON decryption tool
·         Alcatraz Decryptor tool // direct tool download
·         HiddenTear decryptor (Avast)
·         NoobCrypt decryptor (Avast)
·         CryptoMix/CryptoShield decryptor tool for offline key (Avast)
·         Damage ransomware decryption tool
·         .777 ransomware decrypting tool
·         7even-HONE$T decrypting tool
·         .8lock8 ransomware decrypting tool + explanations
·         7ev3n decrypting tool
·         Agent.iih decrypting tool (decrypted by the Rakhni Decryptor)
·         Alma decrypting tool
·         Al-Namrood decrypting tool
·         Alpha decrypting tool
·         AlphaLocker decrypting tool
·         Apocalypse decrypting tool
·         ApocalypseVM decrypting tool + alternative
·         Aura decrypting tool (decrypted by the Rakhni Decryptor)
·         AutoIt decrypting tool (decrypted by the Rannoh Decryptor)
·         Autolocky decrypting tool
·         Badblock decrypting tool + alternative 1
·         Bart decrypting tool
·         BitCryptor decrypting tool
·         BitStak decrypting tool
·         Chimera decrypting tool + alternative 1 + alternative 2
·         CoinVault decrypting tool
·         Cryaki decrypting tool (decrypted by the Rannoh Decryptor)
·         Crybola decrypting tool (decrypted by the Rannoh Decryptor)
·         CrypBoss decrypting tool
·         Crypren decrypting tool

·         Crypt38 decrypting tool