Network security admins all have the same fear – Friday afternoon at about 4:30pm, tech support gets a call that a computer is acting strange with files and folders not working properly. Their response to the call reveals a ransom note!

But before you consider paying a ransom for a security breach, consider using a ransomware decryptor.

There are now numerous reputable sources that have released keys to various strains of ransomware; and these ransomware decryptors are relatively easy to use.  

For instance:

NoMoreRansom.org offers more than 160 ransomware decryptors and can help unlock REvil, Hive, MegaLocker, Maze, and many more.  

Heimdal Security and BitDefender also provide long lists of decryptors. 

CISA provides a recovery script for the ESXiArgs ransomware that was making global news last month. 

And recently, Kaspersky has updated and offers decryption help like the newly updated tool for Conti Ransomware. 

Before leveraging these decryptors, it’s important to note that outcomes may vary. Various threat groups may leverage the same ransomware, but subtle changes made to the payload or different private keys may alter the efficacy of the decryptor. Nonetheless, it’s still worth the effort to try a decryptor as your first course of action.

Testing tools and PoCs

Think of ransomware as a bullet; the gun may still be within your systems and network, so decrypting affected files is only half the battle. Therefore, any attempts to use ransomware decryptors should be done in an isolated manner to confirm its effectiveness.

Users of these tools should also carefully read and follow the directions exactly as outlined by the providing organization. Do not attempt to handle ransomware payloads on any system that may be connected to organizational resources.

All testing with live payloads (absent an attack) should be conducted by trained professionals in a completely isolated and disposable environment.

Recommendations for handling a ransomware attack

Engineering recommendations:

  • Disconnect infected computers from the network or isolate with endpoint detection and response technology
  • Reset administrator credentials
  • Locate all backups and prepare to restore data – be cognizant of forensic collection before wiping and reimaging affected systems
  • Check for a ransomware recovery script or decryptor

Leadership / program recommendations:

  • Contact the Incident Response provider
  • Contact your cyber insurance carrier
  • Notify your legal counsel as soon as possible
  • Implement routine testing of an IR program with tabletop exercises
  • Frequently review IR plans and procedures on a scheduled basis and, if applicable, following an incident

Helpful ransomware decryption resources

There are many excellent decryption resources available. Evaluate each solution, weighing it against the specific needs of your organization.

Resources list:

  1. https://www.nomoreransom.org/en/decryption-tools.html
  2. https://heimdalsecurity.com/blog/ransomware-decryption-tools/
  3. https://www.cisa.gov/stopransomware/ransomware-guide   
  4. https://www.bitdefender.com/blog/labs/tag/free-tools/
    https://www.upguard.com/blog/how-to-decrypt-ransomware
  5. https://www.cisa.gov/news-events/alerts/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat
  6. https://github.com/cisagov/ESXiArgs-Recover#usage