In most cases, ransomware can prove to be the perfect crime as once it gets on a system, it is very difficult to remove, even though industry experts always warn against paying the fee to get control of your computer.
Along those lines, cyber security firm Avast is helping to combat ransomware by releasing three more decryption tools to help victims. This latest offering brings Avast’s total to 14 stools.
“In 2016, ransomware once again demonstrated that it is the biggest security threat. In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded,” Jakub Kroustek, reverse engineer and malware analyst at Avast, said in a blog post.
The three new decryption tools address three different ransomware strains: HiddenTear, Jigsaw and Stampado/Philadelphia. Some solutions for these strains are already available, coming from other security researchers. Avast decided, however, that it is always best to have multiple options.
That’s because these three strains are active, especially over the past few months. Since encryption keys update often, so must the decryption tools.
“We were able to significantly speed-up the decryption time, more precisely the password brute-force process, so e.g. some of the HiddenTear variants will be decrypted within minutes instead of days,” Kroustek said. “The best results are achieved when decrypting files directly from the infected machine.”
One of the strains, HiddenTear, has been around for a while and the code is on GitHub. Given the fact that it is so present, hackers have gone and tweaked the code and starting using it. Encrypted files have a wide range of extensions: .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed. and more.
After all the files end up encrypted, a text file will appear on the user’s desktop.
Another strain, Jigsaw, ended up spotted in March 2016, and many of its strains use the picture of the Jigsaw Killer from the same-name movie in the ransom screen.
Files encrypted after the computer suffered the Jigsaw infection are: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush.
Keeping up with the movie script, the malware will delete a file per hour if you don’t pay up.
The other strain, Stampado, has been around since August 2016, and it’s on the dark web. Multiple versions have been circulating on the Internet, one of them is called Philadelphia. Most often than not, Stampado adds the .locked extension to the encrypted files.
Stampado will delete a new file every six hours unless you pay the ransom.