When Paying Ransom Fails: The Risks of Faulty Decryptors in Ransomware Attacks
September 26, 2024
When Paying Ransom Fails: The Risks of Faulty Decryptors in Ransomware Attacks
Paying ransom to extortionists who have encrypted your files is bad enough, but as Jessica Lyons reports in The Register, it’s even worse when the decryptor they provide fails to unlock the files. Faulty decryptors in ransomware attacks happened to several firms, including one that recently paid the Hazard ransomware group.
A ransomware negotiator from GuidePoint Security shared with Lyons the experience of dealing with two faulty decryption tools in just one week. The criminals sent an updated version after the attackers’ first tool failed to decrypt the company’s files. Unfortunately, this new tool also didn’t work, prompting the company to use GuidePoint for assistance.
GuidePoint contacted the attackers’ “technical support” team to request another version of the decryptor. However, the criminals sent a renamed copy of the same ineffective decryptor instead of a functioning tool and then went silent.
According to the GuidePoint negotiator, the technical challenge was beyond the criminals’ capabilities. Eventually, GuidePoint developed a functional decryption tool, but the negotiator emphasized that this serves as a reminder: paying a ransom does not guarantee data recovery.
While some ransomware-as-a-service groups have technical support teams capable of advanced troubleshooting, newer and less experienced gangs often lack the technical skills and reputational concerns to attempt sophisticated data recovery.
There are several reasons why decryption tools fail. In the case of the Hazard incident, the tool had a bug. Sometimes, attackers mistakenly provide a tool designed for the wrong IT environment. In rare cases, criminals may lose interest in decryption once the ransom is paid.
However, since ransomware is a business, most attackers aim to decrypt files to maintain their reputation. If they become known for failing to deliver after receiving payment due to faulty decryptors in ransomware attacks or other reasons, their business suffers.
Get our free daily newsletter
Subscribe for the latest news and business legal developments.