Getting files back by paying Ransomware

Question

A company I support/do work for has been hit with ransomware. I've gone down all the data recovery paths etc ... and the business has decided that paying the ransom is cheaper then rebuilding and trying to recover.

My question is: has anyone gone through the process of paying a ransomware company? Once you pay, do the bad guys send you a private key and if so, how do you use it to decrypt files?

EDIT: (by request as people requested information below and figured it might help some others who find this topic)

As far as the type goes, I think it might be a variant of CryptoLocker. The application was nowhere to be found after the hit. I ran 3 different AV scans and found no signs of anything. All I had to go on was this image:

I narrowed down the attack to be that of Cryptowall 4.0 judging by the URL being used. I traced that URL to a mailing list for SNORT and saw Cryptowall 4.0 being mentioned.

Here is a forum topic with some talk that matches what I am seeing here for those interested

My understanding is that the bad guys will give you a decryption tool - they want it to be painless and easy so that people keep paying them. — Mike Ounsworth, Dec 04 '15 at 14:40
Same as what Mike says, but of the few cases of ransomeware I've dealt with, we've always had a backup data option. Never had to pay it. However I'd be speculative to paying it, as what if they take my bitcoins and give me nothing. I wouldn't put it past the code writers to just to take my money and forget about me. I mean they aren't a legit company that someone's going to say: Don't do business with "Your Balls in a Vice Software" — N. Greene, Dec 04 '15 at 14:43
You should create a backup plan for your company so that won't happen in the future! — Skyküff, Dec 04 '15 at 14:49
@Skyküff I agree. However, in this case, we are more of an on-call IT business so all we can do is recommend options, and most businesses fail to desire to spend money on the IT side of things. — Jason, Dec 04 '15 at 14:54
Can you tell us which ransomare variant you're dealing with? — GreatSeaSpider, Dec 04 '15 at 15:08
First half has a great personal story of paying the ransom http://www.radiolab.org/story/darkode/ — Neil Smithline, Dec 04 '15 at 16:20
For example in some cases Linux.Encoder.1 (Bitdefender name) can be decrypted using a free tool from http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/ — coderworks, Dec 04 '15 at 19:03
A [certain old poem](http://www.poetryloverspage.com/poets/kipling/dane_geld.html) comes *immediately* to mind. — Tom Zych, Dec 06 '15 at 15:07
*(...) the bad guys will give you a decryption tool - they want it to be painless and easy (...)* --- How thoughtful of them. — Daniel, Dec 07 '15 at 09:54
It's a bit funny that the ransomware owner's actually supply the user with very good "costumer" service in case the user isn't tech savvy. Smart ransomware owners are sure to decrypt it because people are more likely to pay if they actually get what they pay for. That i'm saying this is enough proof for this. Good luck with your decision. — x13, Dec 07 '15 at 13:47
I'd recommend, if you end up paying the ransom, you should involve the FBI (or whichever law enforcement entity is relevant to your location). Even if you go through the ransomer's steps exactly and show them no resistance, your experience will be useful to the law enforcement agency(-ies) whose job it is to catch these crooks. — Martin, Dec 07 '15 at 21:03
Keep in mind you are giving banking/payment information to an unknown entity who's business model is screwing people over. I would be extra careful and plan out how you wish to securely and safely pay the ransom. Remember, these are criminals. Not your friends, not a company that works for you, or someone that could care if your data is recoverable or not after you pay them. — Bacon Brad, Dec 07 '15 at 22:10
@BradMetcalf: I imagine they want bitcoins. So, at least no credit card or banking information will be compromised. — Quora Feans, Dec 08 '15 at 00:15
@baconface Actually, he won't. He'll be buying bitcoins from a third, (hopefully) reputable party. Then he will be transferring those bitcoins to the criminals. The criminals would not get any of his banking information during the payment process. — Fiksdal, Apr 19 '16 at 10:27

score 78 · Answer 1 · edited Dec 04 '15 at 16:20

First, determine which variant of ransomeware you've been hit by. Depending on which one, you may have more options.

As @Ohnana has said generally ransomware operators are true to their word, it's in their interest after all. If it became known that certain groups never allowed data to be decrypted, they'd stop getting money from their victims.

That being said I'd suggest that it is important before you pay to try and establish which variant you've become a victim of. There's freely available decryption tools for several variants, and there's at least one documented variant which contains a bug which makes decryption impossible.

Once you've established which variant you have you will be able to quickly research what you can expect the decryption process to be, and if you can do it using a free tool rather than by paying the ransomware operator.

score 62 · Answer 2 · edited Dec 08 '15 at 15:46

62

As a respectable IT consultant, you should never recommend paying ransomware. If it fails, you will be blamed. If it works, you won't be blamed for recommending against it because the business knows that they are gambling and they were sloppy for letting it happen. And recommending to pay blackmail to a criminal tarnishes your image. I would never use a plumber or a mechanic that recommended paying a criminal blackmail money as I would assume they were in cahoots with the criminals. If you're an IT consultant you have access to this company's unique passwords and such, and - unless they violated an internal rule against doing something on their network - YOU are partly to blame for this happening.

There are several other things you ought to know about this as well:

The criminals are going to install a back door so they can gun the victim again sometime in the next 6 months. Paying ransomware does not "restore" the setup. The setup was hosed to begin with because they got in. The business still needs to completely tear up and rebuild the network properly so this won't happen again in the future.
The ransomware authors spend a LOT of time on blogs and such posting fake stories about how businesses have restored their files quickly and easily by paying. That does not mean that none of these criminals ever restore files after being paid. It means that since they are all using fake names anyway they have no reputation to lose by NOT restoring the files and you cannot trust these apocryphal stories.
Businesses that are scam victims NEVER want to talk about it. Recently a customer of mine was scammed via a simple fake email/wire transfer scam out of $20,000. They begged me to not mention their name on public forums. That same customer was a victim of a Cryptolocker attack about a year ago due to ignoring my advice about network security, and they also asked me about paying - I told them do NOT do it - and I restored from their backups. They didn't pay and they didn't lose files. And they cracked down on their employees and started doing the stuff I had been telling them to do for some time. Unfortunately they never shared with me how they were handling wire transfers so I could not put the kibosh on how they were doing it.
This victim is operating under the assumption that this is some sort of business dealing, that they actually have a choice between paying a little now to get their files back or paying more to get their files back from backup. That is an illusion and the fact they are even contemplating this shows how far gone they are - and incidentally shows how poor a job you have been doing advising them. The reality here is they are contemplating paying someone who is unidentified, has absolutely no reputation to lose, has zero incentive to restore their files - and, in fact, has an incentive to NOT restore their files because the more work the criminal does to help the victim the more chance they have of being caught.

The criminal does not know who they are dealing with - they don't know if they are dealing with a real business or a front company that was set up by law enforcement to bust them. The rule here is the less they engage with the victim the safer it is for them. Once they get the money if they hang around "helping" then it's more chance for them to get caught.

edited Dec 08 '15 at 15:46

Community

1

answered Dec 05 '15 at 05:29

Ted Mittelstaedt

685
4
3

12

There are two distinct possibilities though. 1. Company gets ransomware attack, then approaches consultant. They have no/insufficient backups. 2. Consultant has been working for them for a while, and they get attacked. In case 1, pay the ransom, recover files, rebuild server from scratch, implement backup plan, implement prevention plan to stop reinfection. In case 2, restore from backups, implement prevention plan. Should not need to pay, since should already have backups. If not, it should be because business refused despite advising, not because of consultant not suggesting. – Matthew Dec 05 '15 at 07:32
2

This is the best answer. If you're paying them you should really do the math with loosing the ransom + paying for restoring your backup. While it's not 100% clear he's actually a consultant, this is the only way to go - if the company gambles with the ransom, you're not the one to blame. – Sebb Dec 05 '15 at 14:49
16

Giving your real name in an answer doesn't really help with anything, makes you look kind of stupid, especially when your username is the same. As for your answer, you are blaming the IT consultant while the company itself made the mistake of getting this ransomware to execute in the first place. I totally disagree with "having to rebuild all over again" because you'll still be infected. That's just not true, a backup of the now unencrypted data can be made and then a clean install can be performed. There are no options here other than paying the ransom if you really want your files back. – Hatted Rooster Dec 06 '15 at 18:30
8

I agree with @JameyD that this answer "smells" like spam. (I'm not outright accusing you of being a spammer, just saying that the phrasing of your post is suggestive - whether intentionally or not, who knows.) Your real name _already_ appears in the user tag at the bottom of the post, so there's no point in including it in the post text itself, and your profile can contain enough information to verify your identity and direct any interested parties to your business. – David Z Dec 07 '15 at 06:47
5

OP already stated it was not his decision. He merely asks about the process. I had to downvote, because as good as it is, it's not answering the question. – Agent_L Dec 07 '15 at 09:04
11

I'm amazed this answer has as many upvotes as it does, considering it completely neglects to answer the question, and essentially just consists of a long, irrelevant rant, with unfounded assumptions about the extent of the OP's role in managing their network. The question isn't whether or not to advise the company to pay. The company has made that decision. – Jon Bentley Dec 07 '15 at 23:13
1

" incidentally shows how POOR a job you have been doing advising them": some people are POOR at GETTING advise. That does not mean that the advise is not solid, it's just that the recipient is obtuse. – Quora Feans Dec 08 '15 at 00:18
2

"Answer" completely ignores the fact that OP starts by specifying that conventional data recovery options are already exhausted. Of course you don't pay if you can restore from backup, but that is not the question. "Answer" ignores the fact that OP is not being asked for a binary recomendations, but to give an overview of consequences for different options. "Answer" ignores the fact that it's not random blogs that note that ransomware tends to restore data, Ohnana links an article that notes that FBI states that you tend to get the data back when you restore. – Taemyr Dec 08 '15 at 07:50
1

@JonBentley I'm betting the upvotes are more for the sentiment. Every time someone pays for Ransomware it just emboldens criminals to keep doing this. Worse it's solely due to poor planning (we got hit with the original Cryptolocker and we just restored from a backup). But I agree, it doesn't answer the question – Machavity Dec 08 '15 at 13:55
What is everyone smoking, on here ???? YOU NEVER PAY A RANSOM, do you guyz get this ???? Never, ever, under any circumstances! Ted is spot on in explaining why. For many, if not all, cryptolocker scams the key is in the binary on the system, get a savvy specialist, cheaper than paying the ransom (in most cases) and you do not fund criminal activity. – thecarpy Jan 27 '16 at 11:53

score 38 · Answer 3 · answered Dec 04 '15 at 14:46

38

For classic Cryptowall, the virus itself will typically reach out to the C2C and grab the private key and begin the decryption process. There's also a standalone tool that is preloaded with a decryption key that again, automatically starts decrypting. Most ransomware schemes will make the ransom process as painless as possible.

The FBI has noted that many of these ransomware operators are truthful -- they want people to pay them, so ironically enough holding up their side of the bargain (?) will result in the best outcome.

Also, another piece of strange advice -- refer to the virus documentation. A ransomware scheme is not successful if you don't understand how to get your files back!

answered Dec 04 '15 at 14:46

Ohnana

4,737
2
23
39

32

They may also have a helpline. I know this sounds insane, but we live in strange times. It is entirely possible that once you have paid them, they will talk you through getting the files back if you give them a ring. I don't know if they use premium rate numbers, but if not, they're missing a trick, clearly! – Matthew Dec 04 '15 at 15:21
42

These guys sound more helpful than comcast et al.! – Dave Dec 04 '15 at 20:18
27

@Dave Until you realize you wouldn't have a problem without them in the first place... Oh, wait. – jpmc26 Dec 05 '15 at 01:57
7

So do you just download this virus documentation from their website or does it come preinstalled? – Thomas Dec 05 '15 at 02:47
Usually they'll change your desktop background or leave help files scattered through your directories. See the screenshot in the question for examples of the "documentation" and "help guide" they give you. – Ohnana Dec 05 '15 at 05:18

score 19 · Answer 4 · answered Dec 05 '15 at 20:28

There are some reports of people getting their files back, however

other people have reported being requested a second -unexpected- payment after that (not that surprising, given this is an extortion)
or simply spending the money and not getting their files back

It's even possible that the criminals themselves are not able to decrypt them. Perhaps the user managed to encrypt itself twice, their encryptor is buggy, their "recovery" tool corrupts the encrypted file even further, there may have been a network problem when sending the key to the C&C, their server have been seized... Some ransomware families provide free decryption of a single file to prove that they are able to. Use wisely

Also note that depending on your location, it may be illegal to pay the ransom (you are financing criminals).

I'd prefer paying an AV for recovering the files rather than the criminals. It may even be free if you had their brand installed. See for instance Dr Web's

I also find interesting the claim that the business has decided that paying the ransom is cheaper then rebuilding and trying to recover. Even if you pay the ransom and get your files back (which is dubious at least), you should rebuild the infected structure. How are you going to trust the machine they managed to infect? Plus, they need to take measures so it doesn't happen again. And in this case they don't even know how they infected them!

It's surprising to find out companies that fell victim of cryptolockers... only to be reinfected some months later, and still not having any recovery means.

Just not being able to recover the files from the Shadow Copies means the virus managed to disable them, which leads to the question Why were your users running as an Administrator?

Or not having a (working) backup plan, which may breach national regulations.

You can't simply decide to pay and hide the problems under the rug. If you got hit by a ransomware and you are not able to recover and proceed working in a matter of hours (a few days at most), you have a big problem. As they have found out the bad way.

"I'd prefer paying an AV for recovering the files rather than the criminals." I think we all would. However, AV is usually not able to so. — Mast, Dec 08 '15 at 12:18

score 3 · Answer 5 · answered Mar 09 '17 at 15:38

3

Providing this question with some up-to-date information.

Interpol has teamed up with the Netherlands police, Kaspersky, and Intel Security to provide a site where ransomware victims can find tools to decrypt their kidnapped files for free: No More Ransom.

That’s the best option to get a chance to recover your files; as already said, paying the ransom does not guarantee you to get your files back and at the same time makes you support criminal activities.

answered Mar 09 '17 at 15:38

dr_

5,060
4
19
30

1

The proper solution is to use backups, however for any well-designed ransomware paying is the only other option unfortunately. Free decryptors are getting scarce now that crooks learn to use proper crypto. – André Borie Mar 09 '17 at 16:18

score 2 · Answer 6 · answered Apr 04 '17 at 16:42

A couple of point I'd like to add:

Once you've decided to pay, don't waste too much time. I'm not advising you to throw away your client's money without giving it a careful though first, but waiting another month for a free tool to appear is a bad plan: chances are the crooks will disappear or get caught, and your data may be lost forever.
Don't sound like you represent a business which has money to spend: this will increase the chances that a second payment will be requested. And if you're offered a free decryption test, don't send away any business-related files. Pretending you're a small business or a private person seeking to get your photos back works much better:

The picture is from this article which describes, among other things, what happens when you decide to pay.

Getting files back by paying Ransomware

6 Answers6

Linked