Posts: 1,300   +365
Staff
Bottom line: Victims of ransomware attacks are typically advised not to pay the ransom demanded by cybercriminals. Paying up offers no guarantee that the attackers will uphold their end of the deal, like providing access to encrypted files.

GuidePoint Security recently acted as a "negotiator" between an unnamed company and the group behind the Hazard ransomware. The malware infected the victim's systems, encrypting "important" files and demanding payment to unlock them. The company reportedly felt compelled to pay, but the "decryptor" provided by the Hazard creators didn't work as expected.

While dealing with unreliable decryptors isn't common, GuidePoint explained, things in the malware world can sometimes behave unpredictably. After negotiating with the cybercriminals, the researchers were tasked with investigating why the newly acquired decryption tool was unable to restore the encrypted files.

The root cause was a bug in the encryption payload used by the Hazard ransomware. "A race-condition occurred when the threat actor executed multiple encryptors on the same system," GuidePoint determined. Each file was encrypted a second time before being renamed with a new extension, resulting in missing bytes within a chunk of data appended to the original file.

The appended data was required to recover the encryption initialization vector (IV), but the last three bytes were missing after encryption. Since the IV was pseudo-randomly generated by the encryption payload, retrieving the missing bytes initially seemed impossible.

The ransomware creators were likely unaware of this bug in their malware. After identifying why the decryptor wasn't functioning, GuidePoint attempted to escalate the issue with the Hazard "technical support" team. However, the threat actors merely provided the same decrypting tool under a different name before disappearing.

As the encrypted files were valuable, GuidePoint was tasked with developing a working solution. The researchers succeeded by adopting a brute-force approach, testing all possible combinations for the missing bytes in the IV, ultimately recovering the clean files.

Costs associated with ransomware incidents are on the rise, and even "zombie" malware operations like LockBit 3.0 continue to claim victims. After dealing with a faulty decryption tool, GuidePoint emphasized that ransom payments should never be made. Adopting best practices for data backups is crucial, and even backing up encrypted data can be helpful in unique situations like the recently disclosed Hazard incident.

Permalink to story:

What now? Ransomware victim pays hacker, but decryption key fails

 
Backup.
Backup off-site.
Backup off-site in different location.
Restore from backups regularly.
Validate restored backups.

No backup is a backup until it's restored.
 
  • Like
Reactions: 0dium, n3o127 and Vanderlinde
I went a cybersecurity conference and you know what the industry professionals said in the ransomware panel?

Never involve law enforcement and always pay the ransom or you’ll never get your data back. I found that rather unsatisfying, instead of focusing on proper backup methods, they pushed that narrative.

Then again, the speakers were much like the folks in this article, negotiators or mediators who represent you when dealing with the cyber scammers.
 
  • Like
Reactions: 0dium, Beelzebot and kiwigraeme
veLa said:
I went a cybersecurity conference and you know what the industry professionals said in the ransomware panel?

Never involve law enforcement and always pay the ransom or you’ll never get your data back. I found that rather unsatisfying, instead of focusing on proper backup methods, they pushed that narrative.

Then again, the speakers were much like the folks in this article, negotiators or mediators who represent you when dealing with the cyber scammers.
Click to expand...

Or you know, they are probably the ones doing the encrypting. Bit like big pharma, cause the problem and sell the solution...
 
"We paid the criminals the ransom, the decryptior didn't fix it, and they've now run off with the money, do these people have no shame or honesty??"

The irony writes itself, its like a burglar saying he is only "borrowing" your things and you believe him...
 
  • Like
Reactions: sdms96825
veLa said:
I went a cybersecurity conference and you know what the industry professionals said in the ransomware panel?

Never involve law enforcement and always pay the ransom or you’ll never get your data back. I found that rather unsatisfying, instead of focusing on proper backup methods, they pushed that narrative.

Then again, the speakers were much like the folks in this article, negotiators or mediators who represent you when dealing with the cyber scammers.
Click to expand...
Probably cyber-criminals themselves or working with them.
 
Karlos95 said:
Or you know, they are probably the ones doing the encrypting. Bit like big pharma, cause the problem and sell the solution...
Click to expand...

the truth is somewhere in the middle, there is the same idea about the safeguard security companies too.
 
Jme Kerul said:
Backup.
Backup off-site.
Backup off-site in different location.
Restore from backups regularly.
Validate restored backups.

No backup is a backup until it's restored.
Click to expand...


the intruders get your data encrypted and your backups have your backup encrypted ..for days even for months.

they ensure that you don't have backups before they turn the switch and you get notification that you are hacked.


 
VariableSpike said:
"We paid the criminals the ransom, the decryptior didn't fix it, and they've now run off with the money, do these people have no shame or honesty??"

The irony writes itself, its like a burglar saying he is only "borrowing" your things and you believe him...
Click to expand...
Well yes. But if you think about it, it's in their interest to give decryption keys to victims who paid. If people will see that they can get their data back by paying, they will.
 
As Forrest Gump might say "Stupid is as stupid does."
 
BuckarooBonzaii said:
Probably cyber-criminals themselves or working with them.
Click to expand...
I constantly tell people, two flash drivers for bootable media. Two external hard drives (one of those external hard drives, one that you never connect to your computer, when connected to the internet) and True Image or some other comparable imaging software for creating backups. The reason two flash drives, and two external hard drives? You need two copies of a backup, one for each external hard drive, and because flash drives, and hard drives fail, you need two, because drives or flash drives, never fail at the same time.
 
You pay for what you get. LOL
 
You must log in or register to reply here.

Similar threads

The FBI has over 7,000 decryption keys to help LockBit ransomware victims
Replies
3
Views
319
Ransomware threats are on the rise, with LockBit 3.0 leading global attacks
Replies
1
Views
114
This cyber sleuth infiltrated the LockBit ransomware gang and unmasked its leader
Replies
2
Views
139