Tech Vendors, Law Enforcement Team to Take on Ransomware
Intel Security and Kaspersky Labs worked with international law enforcement agencies on a website that offers decryption keys for several variants of ransomware.
Microsoft and the FBI in 2013 joined forces to break up a nasty botnet called Citadel that stole more than $500 million from bank accounts in multiple countries. Police forces, tech companies and banking organizations in 80 countries participated in the effort to take down the botnet.
With cybercriminals becoming more sophisticated in how they run their operations, such joint efforts between law enforcement agencies and security researchers will become increasingly necessary, said Jornt van der Wiel, a security researcher with the Global Research and Analysis Team, Kaspersky Lab.
Kaspersky has teamed up with Intel Security, Europol and the Dutch National Police to launch an online portal called No More Ransom that both aims to inform the public about ransomware and to help some ransomware victims recover their data without paying ransoms.
"The police cannot fight cybercrime, and ransomware in particular, on its own. And security researchers cannot do it without support from law enforcement agencies," van der Wiel said. "The fight against ransomware requires a joint effort."
The sharing of information is the key to success for the project, he said. "Every party holds a few pieces of the puzzle."
Fighting Shade, Wildfire and Other Ransomware
In another notable example of public/private sector cooperation, researchers from Kaspersky Lab and Intel Security helped Europol and the Dutch National High Tech Crime Unit identify the command-and-control server used by criminals to store information used to create "Shade," a strain of ransomware that has been in circulation since 2014. The agencies seized the server and shared the information with Kaspersky Lab and Intel Security, which then created a decryption tool that victims can download from the No More Ransom portal to retrieve their data without paying the criminals. The tool contains more than 160,000 keys.
"Following our first success story, we continue to share information and are actively working on a number of other cases," van der Wiel said.
The most recent success, announced earlier this week, is the release of a decryption tool for Wildfire, ransomware that primarily targets Dutch speakers through spam emails purportedly from transport companies.
Writing on the McAfee Labs blog, Christiaan Beek and Raj Samani, both with Intel Security, said, "The actors behind Wildfire have clearly put a lot of effort into making their spam mails look credible and very specific." In another sign of sophistication, the control server was hosted on the Dark web. "We believe that the actors did this to avoid the detection of search bots and having the site appear in popular search engines, and to be as stealthy as possible when accessing their services," Beek and Samani wrote.
According to their post, the Wildfire campaign infected some 5,300 systems in the past 31 days, for a total payout of 70,332 euros (U.S. $79,345).
The researchers suspect an Eastern European group is behind the campaign, using ransomware-as-a-service. "It is worrisome to see large-scale extortion by ransomware made easily available to so many criminals," they wrote.
Because multiple organizations and law enforcement agencies have expressed interest in becoming part of the No More Ransom initiative, Kaspersky and its partners "expect our initiative to expand soon," van der Wiel said.
The No More Ransom portal currently offers seven free decryption tools for different types of malware, including Chimera, Teslacrypt and, most recently, Wildfire. The partners will add more tools as they become available, van der Wiel said. The site also offers advice on ransomware prevention and how to report ransomware attacks to authorities in the U.S. and Europe.
"Initiatives like the No More Ransom project show that linking expertise and joining forces is the way to go in the successful fight against cybercrime," said Wil van Gemert, Europol deputy director of Operations. "We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.