Ransomware Incident Response Services

When valuable data has been encrypted by malicious actors demanding a ransom, our team works to restore your data without paying the ransom. If necessary, we can also facilitate the ransom negotiation on your behalf.

We offer ransomware data recovery and investigation services for anybody suffering from file-encrypting viruses. Our goal is to restore as much of your encrypted data as possible without having to pay the people holding your data for ransom. If traditional recovery is not possible you can choose to let us assist with the payment and decryption of the data if you do not feel comfortable doing so. We will provide comprehensive documentation of the event for your insurance adjuster. We also investigate how your system became infected and provide you with advice on how to prevent future intrusions, among other services.


What Is Ransomware?

Ransomware is a particularly insidious form of malware. As the name suggests, ransomware takes your data and holds it for ransom by encrypting it. These viruses are programmed to seek out files with specific extensions. Common file types, such as JPEGs, Word and Excel documents, Photoshop project files, and database files are among the many affected. Affected files will usually have some sort of new extension appended to them, such as “.CRYPTED”, “.VAULT”, or “.LOCKED”.

The majority of ransomware viruses use complex AES encryption to lock away your files. This encryption is impossible to brute-force; the only way to break the encryption is to pay the hackers for their decryption key and hope they honor their end of the bargain. Some ransomware viruses, however, cheat. They use simpler forms of encryption. Or they have other weaknesses we can leverage to get around the encryption. For example, the now-defunct cryptovirus TeslaCrypt claimed to be using a much stronger form of encryption than it actually used, which gave Talos openings to develop decryptor software for TeslaCrypt victims.

Ransomware can spread just like any other kind of virus or malware. Browsing shady websites or opening suspicious email attachments can give a ransomware virus the opening it needs to infect your system. For years, hackers have compromised their victims by sending emails posing as a relative, a co-worker or sysadmin, a business partner, or legal official and asking them to download and open an email attachment.


Why Is Ransomware So Prevalent Today?

There are five factors that have contributed to the proliferation of ransomware. Computer hacking, of course, has been around as long as there have been computers. But it wasn’t until these five factors all came together, all within the past few years, that ransomware really took off.

1. The Growth of the Internet

Ransomware exists because the Internet has become huge. Just about everybody, save for maybe your 90-year-old grandma or your kooky survivalist uncle, has an ever-increasing web footprint. This has given computer-savvy ne’er-do-wells around the world even more access points to attack individuals and businesses. For well over a decade, scammers in third-world nations have made entire careers out of defrauding people in the first world. In the early days of the Internet, the world wide web allowed these scammers to reach even more victims. Now, with the Web as huge as it is, holding a user’s files for ransom has become much more profitable than inventing a sob-story about a Nigerian prince.

2. The Rise of Bitcoins

The creators of Bitcoin and its early adopters envisioned Bitcoin as a form of wholly-digital currency. Bitcoin is not backed by gold or any other precious substance. Nor is it backed by the full faith and credit of any government. Bitcoin’s value is highly volatile, but seems to have stabilized recently. Its greatest value is that it is “cryptocurrency”: decentralized, untraceable, and impossible to counterfeit. While Bitcoin can be used and is used for legitimate transactions, the relative anonymity it provides its users makes it ideal for the world’s more unsavory transactions. Compared to, say, Western Union or wire transfers, there’s no way to trace the malefactor’s location.

3. Improvements in 256-Bit Encryption

Over the past few years, computers have gotten extremely good at encrypting data. 256-bit encryption has become so easy that just about any SSD you can buy today (or any modern model of iPhone) encrypts itself by default—and you’d never even notice. It only takes a handful of milliseconds to turn your typical Word document into encrypted garbage, and a few seconds to encrypt all of your Word documents. And while computers have made great strides in encrypting data quickly, they have made next to no progress in forcibly decrypting that data. According to an EETimes article, 128-bit AES encryption would take a supercomputer one billion billion (or one quintillion) years to break. This is orders of magnitude longer than the age of the universe.

4. The Dark Web and Onion Browsers

The deep web is the surprisingly-vast portion of the Internet not indexed by search engines. The dark web is a portion of it. Thanks to Tor’s method of providing encryption through “onion routing”, users can surf the Internet, including the hidden dark web, and send instant messages to peers under the veil of anonymity. Due to the level of anonymity in the dark web, one can find black markets for all sorts of illicit goods and services. Savvy programmers can sell their encryption programs to interested parties with complete anonymity. The growth and proliferation of the dark web has made it even easier for hackers to obtain the tools to launch massive ransomware attacks.

5. Profit Motive

Finally, ransomware has taken off because it rakes in the dough. In the US alone, the CryptoWall virus cost its victims over $18 million in a single year. According to a June 2016 article in TechInsider, individual cybercriminals can each make over $7,500 per month in ransom payments. If you’re a hacker in Russia, where the average monthly salary is around $500, being or working for a ransomware boss has its obvious advantages. It is hard to calculate the exact figures on how much money flows into ransomware hackers’ pockets. This is mainly because many people affected by these attacks are understandably embarrassed about it and would prefer to keep mum about whether or not they paid the ransom to get their files back. At any rate, online malefactors have found ransomware to a great way to make a lot of money with little investment.


Common Variants of Ransomware

This is a brief, and nowhere near extensive, list of some common ransomware viruses:

Our ransomware data recovery technicians frequently have to contend with cryptoviruses such as CryptoWall 3.0

A portion of the CryptoWall 3.0 ransom note. The note claims that “the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever”.

The CryptoWall virus is one of the many copycat cryptoviruses that sprang up after the original CryptoLocker became defunct. CryptoWall 3.0 encrypts its victims’ files with an AES CBC 256-bit encryption algorithm. The newest version, CryptoWall 4.0, encrypts the names of the victims’ files as well as the contents.

This cryptovirus uses the Tor anonymity network to avoid detection. CTB-Locker will often “allow” the victim to decrypt two files (not of the victim’s choosing) for free, to encourage payment. There is also a popular variant of CTB-Locker that exclusively targets web servers.

Like several other cryptoviruses, Cerber will ignore a potential victim’s files if the computer is registered in certain countries, but infect users from any other country. This virus can also run a text-to-speech program and “speak” directly to the victim. Cerber adds the .CERBER file extension to any file it encrypts.

After the TeslaCrypt virus fell, Crysis filled the void it left behind. One variant of Crysis appends “.centurion_legion@aol.com.xtbl” to affected files. Crysis sometimes demands that the victim email mailrepa.lotos@aol.com or goldman0@india.com to receive payment instructions.

This ransomware is unique in that the hackers will communicate directly with the victim via email. They will often offer the victim a “discount” on decryption. Like many cryptoviriuses, its handlers appear to be based in Russia.