Who will restore encrypted corporate data? Nobody will

Do not expect data encrypted by ransomware to be restored easily. It is better to protect the data in the first place.

As yesterday’s incident with Norway’s Norsk Hydro company shows, the ransomware threat is far from being dead, and not everyone is protected. One possible reason is the common belief that in case of an incident their data can be restored, if not by internal IT specialists, then by some external security experts — or, as a last resort, by the cybercriminals responsible (in exchange for ransom). And oh yes, a lot of companies promise to decrypt data. But sometimes employing such companies is actually worse than to paying cybercriminals.

Why is it a bad idea to employ companies that give a 100% guarantee of decryption?

When you start searching for information about encrypting ransomware, you start seeing a lot of advertisements from companies promising to recover data, no matter what. On their websites, as a rule, you can find wordy explanations for why you should not pay attackers, as well as fairly inventive descriptions of decryption methods. These sites often look quite convincing. But there is one catch.

You see, modern encryption algorithms are designed such that anyone can turn important information into a meaningless set of characters, but only the one who has the key can restore everything. In other words, if the attackers made no mistakes, no one else will be able to decrypt those files — neither your system administrator nor a global IT security giant.

So anyone talking about absolute guarantees of decryption a probably lying. As late as last year, our colleagues identified one such company. As it turned out, the company demanded considerable sums of money from victims for “decryption services” and at the same time negotiated with the attackers to get decryption keys at a discount. As a result, the victims not only paid the attackers, but also funded third-party fraudsters.

Why you shouldn’t pay

Paying the extorters seems like the path of least resistance. Many do just that — and actually get their data back. For example, in 2016, the Locky ransomware attack paralyzed Hollywood Presbyterian Medical Center (HPMC), and with the health and in some cases even the lives of patients depending on the decryption speed, the management made the difficult decision to pay a ransom of $17,000.

However, the easiest way is not always the best, especially if the stakes are not actually about life and death. First of all, your money will most likely be used to develop even more sophisticated malicious programs (which may target marks like you who have shown they’re willing to pay). Secondly, paying is an unreliable tactic. The hospital was lucky, but in hundreds of cases, attackers simply take the money and never decrypt the files. Sometimes they can’t.

Why security companies cannot decrypt your data

Of course, there are companies that are constantly looking for ways to restore encrypted data — including us. However, deciphering information is possible only if the attackers were not professional enough to implement a normal algorithm (or if they simply made a mistake somewhere). When we manage to make a decryption tool, we share it free at https://noransom.kaspersky.com/.  But such cases are exceptions, not the rule.

So, the best thing you can do is try to prevent infection. We have a set of tools for that, including the newly updated free Kaspersky Anti-Ransomware Tool for Business. It can work in parallel with the products of third-party security vendors, creating an additional layer of protection on workstations and servers running under Windows Server.

Updated, Kaspersky Anti-Ransomware Tool for Business not only protects corporate devices from cryptomalware (both known and new), but also detects other threats — in particular, malicious miners, potentially dangerous programs, and pornware. Download this free product here.