Ransomware gangs' slow decryptors prompt victims to seek alternatives


Level 62
Thread author
Top poster
Content Creator
Apr 24, 2016
Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victim's network.

The first was Colonial Pipeline, which paid a $4.4 million ransom for a decryptor after being attacked by the DarkSide ransomware operation.

However, the decryptor was so slow that the company resorted to restoring from backups.

"Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said," reported Bloomberg.

The more recent victim is HSE, the national healthcare system of Ireland, which was hit by a Conti ransomware attack but refused to pay a ransom.

Likely, realizing they made a mistake targeting a government agency, they released a free decryptor for the attack.

However, testing the decryptor found it too slow, so HSE worked with New Zealand cybersecurity firm Emsisoft to use their decryptor, which is allegedly twice as fast.
Emsisoft's Universal Decryptor

After learning about Emsisoft's decryptor, BleepingComputer reached out to Emsisoft CTO Fabian Wosar to learn more about how HSE was using it.

While Wosar refused to share information about their work with HSE, he explained that they created their 'Universal Decryptor' after that ransomware operations do a horrible job when decrypting files.

For example, Ryuk ransomware's decryptor was known to have problems decrypting large files, leading to data corruption. Similarly, a bug in Babuk Locker's decryptor caused data loss when decrypting ESXi servers.

In addition to the bugs, Wosar told BleepingComputer that ransomware operations' decryptors are "atrociously slow", which makes them a lot less effective than restoring files from backups.

While Emsisoft's decryptor was designed for data safety, it is also much faster than ransomware gang's decryptors. Since the tool comes from a well-known and respected cybersecurity company, it also eliminates the need to check the threat actor's decryptor for malicious behavior.

"We usually cut days off. Because no reversing needed to make sure it's safe, no backups that need to be done first, easier deployment, better logs, and ultimately we end up being much, much faster," Wosar told BleepingComputer.

Wosar also stated that it is not unheard of for victims to be affected by multiple ransomware attacks simultaneously, which prompted Emsisoft to adapt their decryptor to be able to load in multiple decryption keys from different ransomware families and decrypt the files in one go.

"More than 50 ransomware families and major variants are supported by the decryptor," explained Wosar.
Read the full story and test of Emsisoft's decrypter here at Bleeping Computer: