The Good, Bad and Ugly
Kivu rounded out the calendar year with a holiday season bursting with ransomware attacks. Here’s the good, the bad and the ugly on what we’re seeing in recent attacks (really just the bad and the ugly).
Traditionally, ransomware encrypts files based on their file extensions. Most ransomware contains source code with a list of extensions to target, like the list below:
In the last two months, Kivu has encountered multiple strains that appear to be “extension-agnostic” – in other words, it encrypts anything and everything, and does not limit its reach to a discrete list of file types.
Why does this matter?
Whether intentional or inadvertent, this evolutionary trait of ransomware has created a unique problem: the risk of double-encryption.
Imagine Joe Attacker hacks into your server and encrypts all your files with the file extension “.dietpepsi”. A few days later, Jane Attacker also hacks into your server and launches an extension-agnostic ransomware variant that encrypts files with the extension “.mountaindew”. Old ransomware would skip right over the files ending in “.dietpepsi”, as it is a non-conventional, invented file type; thus, the 2nd ransomware is rendered fairly useless. However, Jane Attacker’s ransomware doesn’t attack based on file extension – it goes after everything in its path. This means the files on your server will suffer double-encryption and your files will appear like this:
- “Meeting Minutes.docx.dietpepsi.mountaindew”
- “Accounting 2017.pdf.mountaindew”
If your backups are deleted or nonexistent and the data on the server is mission critical to your organization, you are faced with having to triage not one, but two ransomware attacks and negotiate with two attackers simultaneously.
Among the many horrors this scenario presents, one is the problem of decryption verification. A pivotal step in the ransomware negotiation process is having the bad actor decrypt a few sample files prior to payment – a show of good faith that he/she has a functioning decryption solution. In this process, we check to make sure not only that the ransomware extension is removed from the test file, but also that the file opens properly and hasn’t suffered corruption. If we find that the decryption tool is failing to restore the files, we might advise the victim to decline to proceed with payment.
The problem with double encryption is that there is no way to open the file to ensure its integrity, since it still bears a second encrypted file extension. Even if we get Jane Attacker to decrypt “Payroll.xlsx.dietpepsi.mountaindew”, that only gets us to “Payroll.xlsx.dietpepsi”, leaving us unable to verify whether the file has suffered any internal damage. This heightens the risk of paying for a faulty tool and derails the investigator’s ability to predict the decryption tool’s effectiveness.
Kivu recently encountered a double-encryption infection, which was compounded by the fact that the victim was running old, slow operating systems that had trouble handling the decryption tools. With persistent troubleshooting, diligence, and creative problem-solving, Kivu was able to restore the victim’s files from both infections and bring their environment back up and running.
We expect to see more of the same in the coming months. As daunting as a ransomware attack may seem, with careful approach, patience, and luck, there is a good chance your environment can be successfully decrypted.