The Dutch National Police, Europol, Intel Security and Kaspersky Lab have joined forces to launch a new initiative designed to fight the cyber criminals. Entitled ‘No More Ransom’, this is a step forward in the co-operation between law enforcement and the private sector to fight ransomware on a collective basis. ‘No More Ransom’ (www.nomoreransom.org) is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransoms to the cyber criminals.
Ransomware is a type of malware that locks victims’ computers or otherwise encrypts their data, demanding them to pay a ransom in order to regain control over the affected device(s) or files. Ransomware is a top threat for European Union (EU) law enforcement. Indeed, almost two-thirds of EU Member States are presently conducting investigations into this form of malware attack. While the target is often individual end users’ devices, corporate and even Government networks are affected as well.
The number of victims is growing at an alarming rate, too. According to Kaspersky Lab, the number of users attacked by crypto-ransomware rose by 5.5 times from 131,000 in 2014-2015 to 718,000 in 2015-2016.
The aim of the portal www.nomoreransom.org is to provide a helpful online resource for victims of ransomware. Users can find information on what ransomware is, how it works and, most importantly, how to protect themselves. Awareness is key as there are no decryption tools for all existing types of malware available. If your systems become infected, the chances are high that the data will be lost forever. Exercising a ‘conscious Internet use’ while following a set of simple cyber security tips can help avoid the infection in the first place.
The project provides users with tools that may help them recover their data once it has been locked by criminals. In its initial stage, the portal contains four decryption tools for different types of malware, the latest developed in June 2016 specifically for the Shade variant.
Shade is a ransomware-type Trojan that emerged in late 2014. The malware is spread via malicious websites and infected e-mail attachments. After accessing the user’s system, Shade encrypts files stored on the machine and creates a .txt file containing the ransom note and instructions from cyber criminals on what to do to retrieve user’s personal files. Shade uses a strong decryption algorithm for each encrypted file, with two random 256-bit AES keys generated: one is used to encrypt the file’s contents, while the other is employed to encrypt the file name.
Since 2014, Kaspersky Lab and Intel Security have prevented more than 27,000 attempts to attack users where cyber criminals have used Shade Trojan. Most of the infections occurred in Russia, the Ukraine, Germany, Austria and Kazakhstan. Shade activity has also been registered in France, the Czech Republic, Italy and the US.
Thanks to the authorities working closely together and sharing information between different parties, the Shade Command and Control server used by criminals to store keys for decryption was seized and the keys shared with Kaspersky Lab and Intel Security. That helped to create a special tool which victims can download from the ‘No More Ransom’ portal to retrieve their data without paying the criminals. The tool contains more than 160,000 keys.
Public-private sector co-operation
The project has been envisioned as a non-commercial initiative aimed at bringing public and private sector institutions together under the same umbrella. Due to the changing nature of ransomware, with cyber criminals developing new variants on a regular basis, this portal is always open to new partners’ co-operation.
Wilbert Paulissen, director of the National Criminal Investigation Division of the National Police of the Netherlands, stated: “We, the Dutch police, cannot fight against cyber crime, and ransomware in particular, on a solo basis. This process has to be a joint responsibility of the police, the Justice Department, Europol and ICT companies. This is why I’m very happy about the police’s collaboration with Intel Security and Kaspersky Lab. Together, we will do everything in our power to disturb criminals’ money-making schemes and return files to their rightful owners without the latter having to pay out significant amounts of money.”
Jornt van der Wiel, security researcher within the Global Research and Analysis team at Kaspersky Lab, added: “The biggest problem with crypto-ransomware is that, when users have their precious data locked down, they readily pay criminals to retrieve it. That boosts the underground economy and, as a result, we’re facing an increase in the number of new criminal players and the number of attacks. We can only change that situation if we co-ordinate our efforts to fight ransomware. The appearance of decryption tools is just the first step on this road. We expect this project to be extended. Soon, there will be many more companies and law enforcement agencies from other countries and regions fighting ransomware on a collective basis.”
Raj Samani, CTO for Intel Security in the EMEA region, told Risk UK: “This initiative shows the inherent value of public-private sector co-operation in taking serious action in the fight against cyber crime. This collaboration goes beyond intelligence sharing, consumer education and site ‘take downs’ to actually help repair the damage inflicted upon victims. By restoring access to their systems, we empower end users by showing them they can take action and avoid rewarding criminals with a ransom payment.”
Wil van Gemert, Europol’s deputy director of operations, observed: “For a few years now, ransomware has become a dominant concern for EU law enforcement. It’s a problem affecting citizens and businesses, computers and mobile devices, with criminals developing more sophisticated techniques to cause the highest impact on the victim’s data. Initiatives like the ‘No More Ransom’ project show that linking expertise and joining forces is the way forward in the successful fight against cyber crime. We expect to help many people to recover control over their files, while also raising awareness and educating the population on how to keep their devices clear of malware.”
Important to ‘Always report’
Reporting ransomware to law enforcement is very important in order to help the authorities obtain an overall clearer picture of the present situation and thereby introduce the right capacity of measures to mitigate the threat. The ‘No More Ransom’ website allows victims to report acts of criminality, directly connecting with Europol’s overview of national reporting mechanisms.
If you’ve become a victim of ransomware, Europol advises you not to pay the ransom. By making the payment you will be supporting the cyber criminals’ business. Not only that, there’s also no guarantee that paying the fine will give you back the access to the encrypted data that has been promised.