Ransomware Decryption Intelligence

Ransomware continues to be the most profitable method of monetising unauthorised access to compromised networks. It is the biggest threat to private and public sector organisations, large and small. In the last three years, we have seen hundreds of hospitals hit by ransomware, as well as other critical infrastructure sector organisations, such as the Colonial Pipeline or JBS foods. Slowing the ransomware epidemic requires a multi-pronged approach. While this includes arrests, action against illicit cryptocurrency transactions, sanctions, or - the topic of this blog - decryption.

By reverse engineering the encryption implementation utilised by a ransomware variant, researchers can exploit a cryptographic flaw to decrypt ransomware. This does make it possible to recover files without paying a ransom for the decryption keys. When the ransomware group eventually realises, or learns via public reports, that their ransomware is fundamentally flawed, they often either abandon it, fix the flaw, or start fresh with a rebrand.

Four scenarios of how ransomware variants are decrypted are outlined below:

Scenario 1

  • A researcher figures out how to decrypt a ransomware variant
  • The flaw in the ransomware is disclosed publicly via a free decryption tool
  • Victims can recover files locked by the ransomware variant with the encryption flaw
  • The ransomware operators noticed the flaw and fix issue (sometimes in <24 hrs)
  • Ransomware gang continues attacks

Scenario 2

  • A researcher figures out how to decrypt a ransomware variant
  • They inform LEAs, IR firms, negotiators, CERTs, ISACs, or other NGOs
  • Using these intelligence sharing avenues, the decryption tool for the ransomware can be passed to victims who can recover their files without paying the ransom
  • The ransomware gang loses money they would have got from the victim for the decryption keys
  • Eventually, the ransomware gang may realise that a low % of victims are paying ransoms for decryption keys
  • If the ransomware gang fixes the issue in the encryption, the decryption tool can be released publicly

Scenario 3

  • The ransomware gang goes bust or retires and decides to release the decryption keys for free for all victims
  • Researchers produce a public & free decryption tool using the keys
  • Victims who were encrypted by the ransomware can recover locked files

Scenario 4

  • A victim organisation is hit by ransomware 
  • The ransomware gang has been inside the network for some time and has access to communications inside the victim organisation 
  • The victim calls an IR firm to respond to the ransomware attack
  • The IR firm let’s the victim know it is possible to decrypt the ransomware 
  • The ransomware gang who is still in the network is able to intercept communications between the victim and the IR firm
  • The ransomware gang learn that a secret decryption tool is available, so they figure out the issue and fix it 
  • The decryption tool is now made public 
  • The ransomware gang continues campaigns without needing to worry as much about a decryption tool preventing them from getting a ransom (unless there are multiple vulnerabilities in the ransomware)
Scenario 5
  • A third-party (LEA or otherwise) obtains the decryption keys via interdiction
  • A public & free decryption tool is released using the obatined decryption keys
  • Victims who were encrypted by the ransomware can recover locked files

Real world cases

In October 2019, victims of Nemty ransomware attacks could rejoice after researchers successfully reverse engineered three versions of the malware and could decrypt locked files. After several months, the Nemty operators decided to close the Ransomware-as-a-Service (RaaS) in April 2020. In a post to a Russian-speaking cybercrime forum, the Nemty operators said they were shutting down and going private. Despite the victory over Nemty, the ransomware developers later returned with a new variant, called Nefilim, for 'big game hunting' campaigns against large organisations. No decryptors have been made available for Nefilim and new research suggests that the ransomware operators have since rebranded again to Karma ransomware. [1, 2, 3]

In January 2021, one group of researchers discovered a DarkSide decryption flaw and decided to make a free and public tool for victims. The DarkSide operators downloaded the free tool and in less than 24 hrs, they announced they had patched the flaw in the ransomware. The first researchers, however, may not have been aware but other reverse engineers also knew about the flaw and were able to help victims recover without alerting the DarkSide gang. Unfortunately, a few months after the free decryption tool was released and the cryptographic flaw was patched, DarkSide hit the Colonial Pipeline, causing a fuel crisis in the US. There may have potentially been a scenario whereby if the decryption tool was not made public at that time, the researchers could have assisted the FBI into decrypting DarkSide without paying the ransom, averting the fuel crisis. [1, 2, 3, 4]

In June 2021, the group behind the Avaddon RaaS platform ceased operations and released 2.934 decryption keys, where each key reportedly corresponds to a specific victim. However, this number is much higher than the number of victims leaked to Avaddon's darknet leak site - at over 180 (source). It is not clear why Avaddon closed shop, but it is not uncommon for ransomware groups to abruptly stop campaigns (see MAZE, Egregor, GandCrab). The number of keys versus the number of victims leaked to Avaddon Tor site also highlights that our visibility into ransomware campaigns is foggy. Each of the 40 (or so) groups that has a darknet leak blog is also likely launching much larger campaigns than the number of leaks lead on. [1, 2, 3, 4]

In July 2021, the remote monitoring and management (RMM) tool, Kaseya VSA, used by dozens of MSPs worldwide, was hit by a supply-chain ransomware attack. The perpetrators, known as REvil (or Sodinokibi), responsible for the attack demanded a $70 million ransom, but disappeared shortly after the announcement on their 'Happy Blog' darknet leak site. It was later revealed by the press that the FBI reportedly compromised the group’s servers, stole the master keys, were able to decrypt all victims of the Kaseya attack as well as those before it. However, REvil somehow figured out there were intruders on the system and disappeared. Unfortunately the FBI (who was trying to disrupt or potentially catch REvil) is currently in legal trouble for holding onto the master keys for up to three weeks following the Kaseya attack, which caused major business disruption to MSPs and their clients, worldwide. A decryptor for versions of REvil before the Kaseya attack has since been made publicly available. [1, 2, 3, 4]

In one undisclosed scenario, a top-tier ransomware family currently has a cryptographic flaw and has been decrypted by researchers, and for several weeks, researchers have been able to help victims avoid paying a ransom, including those in the critical infrastructure sector. However, one of the victims’ IR companies that the researchers worked with spoke about the decryption with the victim - on the victim’s infrastructure - which was still compromised and owned by the threat actors. The ransomware gang potentially found out that there was a decryption tool and, again, within 24 hrs made changes to the ransomware’s code to make decryption a lot more difficult, but still possible - as they fortunately did not learn about the cryptographic flaw itself. This ransomware group remains at large.

Rebranded Ransomware Examples:

  • GandCrab → REvil
  • BitPaymer → DoppelPaymer → Grief
  • WastedLocker → Hades → Phoenix → Macaw
  • Maze → Sekhmet → Egregor
  • DarkSide → BlackMatter 
  • Defray777 → RansomEXX
  • MountLocker → AstroLocker → XingLocker
  • Babuk → Payload.bin → Groove
  • SynACK → El_Cometa
  • Prometheus → Spook
  • Nemty → Nefilim → Karma

How to share intelligence 

Researchers who find flaws in ransomware cryptography should seriously consider taking the intelligence sharing route to confidentially inform those who need to know about an exploitable vulnerability. It cannot be stressed enough that this is a rare upper hand against the never-ending battle that is the current ransomware epidemic. The problem is, not all researchers or reverse engineers are intelligence analysts. They may not even know the implications of what they have found, like how much money it could save a victim or how many ransoms they could cost cybercriminals. 

The key components of sharing this type of intelligence (a cryptographic flaw in a ransomware family) includes having the right connections and contacts at law enforcement agencies (LEAs) or incident response firms; getting the information to the right people (the victim organisations); the timeliness of the intelligence (before they fix the flaw); and securely relaying the information (preventing interception or leaks).

How not to share intelligence:

One mistake that I have seen happen time and again is that a researcher who finds a cryptographic flaw in a ransomware family will go public with the details without warning and, in doing so, alerts the ransomware operators to the issue (because they are on social media too guys). Although the researcher means well, they just gave away the one advantage we had over a ransomware campaign. The problem is, while researchers may think they are very smart and talented for finding the issue, the chances are someone else may have found it too and is effectively being able to decrypt it for victims covertly without tipping off the ransomware. It is just that they have not publicly disclosed the information to social media or via a blog or to journalists. Once the flaw in the ransomware has been patched by the operators (or they’ve hopefully gone bust) it is then completely reasonable (and very helpful) to publicly disclose the vulnerability and make a free decryption tool publicly available.

A noteworthy anecdote of mine on this topic is that one of my contacts (who works in ransomware incident response cases) once said that when they started the kick off call with a new victim company, the video call meeting link was sent via email (which the ransomware operators had access to) because they were still in the network. One thing led to another and a ransomware operator joined the meeting and silently listened to the victim organisation’s IT team and IR firm talk about how approach the situation. The ransomware operator later exploited this information (such as insurance policies) they took from the call during the negotiation phase with the victim. Therefore, victims and incident responders should move conversations about the response to secure external channels of communication to avoid this.

Quick Recap

  • Tipping off a ransomware gang could lead to them quickly fixing the issue and victims losing the ability to avoid paying a ransom for the decryption keys
  • Ransomware is a billion dollar industry (source), we should impose cost by decrypting the ransomware
  • If we can avoid paying ransoms, ransomware becomes unprofitable 
  • Releasing decryptors prematurely can lead to rebrands and new campaigns


  • Intelligence sharing is hugely beneficial - it saves victims & costs the ransomware gangs money
  • If at all possible security researchers should make contacts with LEAs, cybersecurity vendors, other respected researchers (1, 2), CERTs, ISACs, IR firms, or negotiation firms - social media and public forums should be a last resort
  • To deal with this ransomware epidemic we need to impose cost and ideally stop paying ransoms, we need to make ransomware as unprofitable as possible 
  • In some infrequent cases, researchers should stop the glory hunting/clout chasing and marketing/sales/executives need to stop leveraging critical intel for advertising campaigns - it may do more harm than good
  • While prematurely disclosing the flaw in a ransomware might be considered an intelligence failure, being able to decrypt all previous versions of a ransomware is still a victory - victims are often reminded to hold on to encrypted files as a decryption tool may be made available at a later date
  • This same logic discussed in this blog applies for other aspects of ransomware campaigns - such as locating servers of exfiltrated data, finding real IP addresses of Tor sites, or finding potential identities of ransomware operators
  • One final thing worth remembering, like any type of serious and organised crime, costing them money could very well lead to threats to life of the researchers themselves 


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks