Law enforcement and IT security companies join forces to fight ransomware

Today, the Dutch National Police, Europol, Intel Security and Kaspersky Lab launched the No More Ransom initiative, a new step in the cooperation between law enforcement and the private sector to fight ransomware together.

Ransomware is a top threat for EU law enforcement: almost two-thirds of EU Member States are conducting investigations into this form of malware attack. While the target is often individual users’ devices, corporate and even government networks are affected as well. The number of victims is growing at an alarming rate: according to Kaspersky Lab, the number of users attacked by crypto-ransomware rose by 550%, from 131 000 in 2014-2015 to 718 000 in 2015-2016.

“Cybercrime is a growth industry and ransomware is quickly becoming it’s poster child. This enormous growth is having a detrimental impact on consumers, and businesses alike which is why No More Ransom is being launched. It is intended to not only provide proactive advice but crucially decryption tools where available and how to report the incident to law enforcement. As we have seen with the release of shade ransomware decryption tools, giving consumers another option than pay criminals, or lose data is imperative,” Raj Samani, EMEA CTO at Intel Security, told Help Net Security.

Decryption tools

The aim of No More Ransom to provides users with tools that may help them recover their data once it has been locked by criminals. In its initial stage, the portal contains four decryption tools for different types of malware, the latest developed in June 2016 for the Shade variant.

Shade is a ransomware-type Trojan that emerged in late 2014. The malware is spread via malicious websites and infected email attachments. After getting into the user’s system, Shade encrypts files stored on the machine and creates a .txt file containing the ransom note and instructions from cybercriminals on what to do to get user’s personal files back. Shade use strong decryption algorithm for each encrypted file, with two random 256-bit AES keys generated: one is used to encrypt the file’s contents, while the other is used to encrypt the file name.

Since 2014, Kaspersky Lab and Intel Security prevented more than 27 000 attempts to attack users with Shade Trojan. Most of the infections occurred in Russia, Ukraine, Germany, Austria and Kazakhstan. Shade activity was also registered in France, Czech Republic, Italy, and the US.

By working closely together and sharing information between different parties, the Shade command and control server used by criminals to store keys for decryption was seized, and the keys were shared with Kaspersky Lab and Intel Security. That helped to create a special tool which victims can download from the No More Ransom portal to retrieve their data without paying the criminals. The tool contains more than 160.000 keys.

No More Ransom: Public – private cooperation

The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.

“The biggest problem with crypto-ransomware today is that when users have precious data locked down, they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result. We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road. We expect this project to be extended, and soon there will be many more companies and law enforcement agencies from other countries and regions fighting ransomware together”, says Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab.

Wil van Gemert, Europol Deputy Director Operations, finally: “For a few years now ransomware has become a dominant concern for EU law enforcement. It is a problem affecting citizens and business alike, computers and mobile devices, with criminals developing more sophisticated techniques to cause the highest impact on the victim’s data. Initiatives like the No More Ransom project shows that linking expertise and joining forces is the way to go in the successful fight against cybercrime. We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware.”