Unlike other cyber nuisances, such as viruses, which replicate and cause mayhem, or denial of service attacks, which bring networks to a grinding halt, ransomware is almost impossible to unwind once it’s been deployed successfully. That’s because they use encryption to lock up the files, with a secret decryption key being the only route out.
Rather than try to undo this encryption, most victims just write off the files and restore their systems using backups. This can take days or weeks, assuming the target has good data practices, while still costing millions of dollars. It may be impossible if secure backups don’t exist. And that’s what ransomware attackers are betting on: the losses from restoring systems are so high that a target is willing to pay to get a copy of the digital key, which can decrypt the files and restore everything to normal.
But what hackers don’t bet on is savvy cybersecurity professionals coming across rookie mistakes in the malware code that lets them reverse the encryption without paying a dime to the assailant.
A group at International Business Machines Corp.’s X-Force team did just that. Taipei-based CyCraft Corp. also managed to find the flaws and offered decryption tools for free.
In an article on IBM’s Security Intelligence website, and a recent presentation at the RSA Security Conference, the researchers outlined how they spotted an error within the code of the Thanos family of ransomware. Prometheus, a variant of Thanos, is believed to have struck at least 30 victims in industries including manufacturing, logistics and finance.
It all centers around randomness. This quality is one of the most important aspects of good encryption because encryption-decryption keys — they usually come as a mathematically linked pair — rely…