How to Decrypt Ransomware Files – And What to Do When That Fails
For any organization struck by ransomware, business leaders always ask “how do we decrypt the data ASAP, so we can get back in business?” The good news is that ransomware files can be decrypted:
The bad news is that decryption often doesn’t work, so the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process. Once the attack occurs, the organization needs to simultaneously call to summon an incident response team and block the attack from progressing further. Only then can the organization proceed with the difficult tasks of decryption and recovery.
Ransomware encryption works like any other encryption, except that the keys are controlled by the ransomware gang. The encrypting software will take the bits of the file and scramble them using a cipher, or code that generates the encryptions keys. These encryption keys can also be used to decode the encryption and restore the file’s usability.
Some ransomwares use standard encryption or compression tools, like 7zip and Winrar, and others create their own encryption tools that might only encrypt part of files to speed up the process.
In either case, the encryption tool sends the randomly-generated encryption key to the ransomware gang. If the victim pays the ransom, that random key will be sent to the customer with the decryption tool to restore the files.
The criminal and high-tech nature of ransomware requires special handling. Calls may be required inside and outside of the organization to properly address the issues that arise from a ransomware attack and these calls need to be made early in the process because ransomware triggers special circumstances.
Call#1: Cybersecurity insurance provider: If reimbursement will be needed, immediately call the cyber insurance company that issued the organization’s cybersecurity policy. Most insurance companies require specific incident response vendors, procedures, and reporting that must be met to meet the standards to be insured.
Insured companies often will not have options. Instead, the cybersecurity insurance company will take full control, and the insured company will need to follow instructions.
Call#2: Call an Incident Response Team: Next call the incident response team recommended by the cybersecurity insurance company, a vendor, or the internal team responsible for IT security incident containment and recovery. Internal incident response teams usually handle smaller ransomware attacks, but large scale attacks will require additional resources. Typically, the fastest way to recover is to call an MSSP, incident response specialist, or ransomware recovery specialist.
Call#3: Call Stakeholders: For significant and widespread ransomware attacks, executives, legal counsel, and law enforcement such as the local office for the FBI or police should also be on the incident response phone list for early contact.
While law enforcement may not help directly during the attack, the FBI has helped to seize ransom payments for victims. Additionally, law enforcement can help prevent an organization from accidentally making illegal payments to entities sanctioned by the US Treasury.
Whether handing off recovery to the insurance company, paid incident response professionals, or attempting recovery in-house, the next steps will generally be the same:
Note that decryption is not a consideration until at least step three because the IT team cannot safely attempt any decryption without stopping the spread of ransomware or blocking access that attackers might use to interfere with recovery. These steps are covered in more depth in How to Recover From a Ransomware Attack, so for now, we’ll simply presume the attackers and malware are under control.
Once the systems have been isolated and the ransomware removed, we can examine the encrypted files and attempt decryption. The first step is to determine the type of ransomware infecting the system which determines what types of decryption tools may be available. Decryption tools fall into the following general categories:
Each type of tool will have pros, cons, likelihood of success, and cautions.
To know what options are available for a specific infection, the ransomware recovery team will need to inspect the encrypted files and the ransomware messages.
Most ransomware attackers will be obvious and provide a ransom note that provides the ransomware strain and instructions for how to contact the ransomware group. However, recently some companies have suffered attacks from multiple ransomware gangs simultaneously, so incident recovery teams will need to check each machine separately and verify the infections.
The file extensions of the encrypted files will also provide a clue. Incident response teams can use a search engine to look up the file extension and ransomware name to see what decryptors might be available. For example, files with the following extensions are signs of attack from BTCWare, which has a free decryptor: btcware, cryptobyte, cryptowin, theva, onyon.
Note that some ransomware attacks lock the screen of the machine, which would require a completely different method of recovery.
The ransomware attackers will always encourage paying the ransom to obtain their decryption tool. However law enforcement will always discourage paying ransoms and supporting criminal activity.
Ultimately, each organization will need to decide for themselves the morality of paying for a ransomware decryptor. However, there are also practical reasons to be extremely cautious.
First, ransomware decryptors don’t always work. IT teams need to search for the reputation of the ransomware attackers to understand how likely the tool is going to work.
Additionally, keep in mind that these criminal gangs do not have the best interest of their victims in mind when they create these software packages. Ransomware decryptors can potentially load other malware, drop back doors, or add new users to systems as they process the decryption.
Even if the malware decryptor works, IT recovery teams will need to perform thorough scans of the systems to ensure no additional vulnerabilities were introduced to the system. To do it correctly, this process will be extremely time-consuming and possibly very expensive.
It is always tempting to try and solve our problems for free, but sometimes the value of the software is worth the amount we paid — or worse. When considering a free tool, it is worth investigating the reputation of the person or organization that developed the free tool and considering the reputation of the source providing information on the tool.
Some tools will be generated by reputable security researchers or anti-malware companies and be promoted on reputable security news websites. Other tools might have mystery creators, so it can’t be ruled out that the tool has been created by ransomware gangs or other malware creators.
Even if the tool is 100% legitimate, it still may only work on certain versions of the ransomware or have other limitations. Lastly, free tools will probably have limited support available to help users with their issues.
Some representative examples of free tools:
It may be useful to note that company policy may prevent the use of some free tools. For example, the reputable Kaspersky anti-malware company might offer legitimate anti-ransomware tools suitable for many organizations, but their Russian headquarters may cause hesitation over concerns related to the invasion of Ukraine or concerns of spyware.
Many companies offer software that companies can buy to recover from ransomware attacks. As with free software, the reputation of the company producing the software will be a huge consideration prior to the purchase.
However, even the best ransomware removal tools cannot guarantee they will be able to decrypt ransomware files, and often, they work primarily as a preventative method. IT recovery teams should check with the software vendor to see if their tool can decrypt the specific ransomware used in the attack before investing in decryption tools.
However, for-pay ransomware tools usually have the advantage of support personnel that can more actively help incident response teams when they encounter difficulty.
When asked to perform decryption, incident recovery teams need to set expectations with company executives. Executives and incident response teams need to prepare alternative solutions during the decryption process in case the decryption is unsuccessful.
In addition to expectations for recovery, incident response teams need to prepare executives for other issues that may complicate, slow, or prevent recovery of encrypted data such as: safe mode infections, hands-on recovery requirements, slow decryption, or corrupted files.
The honest answer is “probably not.” Many people have a poor understanding of statistics and feel that even a “25% chance” of recovery means that a competent person will be able to execute decryption. Unfortunately, even the most skilled incident recovery specialist may be unable to decrypt ransomware files under a broad range of circumstances.
Additionally, multiple attacks are possible, so even the successful decryption of one ransomware attack might reveal files encrypted from a prior attack that now require a completely different decryption tool. Finally, decryption of local files does not solve the problem of possible extortion related to data leaks of exfiltrated files from the attack.
To avoid malware attacks that load during a normal startup, incident response may want to start the operating system in Safe Mode. This often helps incident response teams to clean the machine safely.
However, advanced ransomware attacks understand this process and may take alternative measures to maintain persistence. For example:
In our remote-access world, it may be tempting to attempt to recover from the ransomware attack using remote-access tools. However, this also keeps the computer available for remote access for attackers.
It is better to fully isolate the device from networks and the internet to ensure no access was overlooked. Of course, this also means the tech needs to physically be present to access the device, which will add costs and time to the process, but ultimately, it may be required under most circumstances.
Decryption takes a long time to execute, and even the official decryption solution from the ransomware gang may not work efficiently. In two notable attacks, the victims started trying to use the ransomware gang’s tool but ultimately needed to switch to an alternative because the process was so slow:
Of course, even after investing significant time in the decryption process, a successful decryption may discover files have been corrupted in the encryption process.
Researchers found that some ransomware creators have developed new options for attackers to corrupt data instead of encrypting it. Encryption takes significant time and newer endpoint detection tools can send alerts on encryption activity.
The new option still exfiltrates the data but then begins to copy blocks of data from the middle of exfiltrated files over other randomly selected files. File-write processes do not trigger alerts, and the exfiltration and corruption process allows the attacker to become the sole owner of the uncorrupted data.
Should this option become activated, companies will lose the option for decryption and will only have the option to buy back their data from attackers or restore from backups.
It would be irresponsible to suggest that ransomware-encrypted files can be regularly or easily decrypted. While difficult, an organization can look for potential solutions to decrypt their ransomware-affected files with professional decryption tools, freeware tools, or as a last resort, paying the ransomware gang for the decrypting software. The success rate for decryption tends to be low, but an organization can get lucky.
Organizations also need to keep in mind that some sophisticated ransomware attackers pose an even larger risk than simple ransomware encryption. Incident response professionals should be deployed to ensure the attacker’s access to company systems have been found and eliminated to prevent future attacks.
Organizations that do not want to rely on luck need to prepare in advance for potential ransomware attacks with appropriate security tools, security monitoring, and robust backup procedures. Fortunately, there are many security tools and service providers ready and able to help prepare and minimize the impact of a successful attack.