Hackers love to take advantage of unsuspecting victims. That feeling of control is thought to be part of the rush that these online profiteers feel when they score big in a ransomware heist. So what happens when a white hat programmer attempts to ride in on a white horse and liberate the ransomware victims with free decryptor software? Here is one example that recently grabbed headlines.
Spaniard Javier Yuste, a student at the Rey Juan Carlos University in Madrid recently released a free decrypter for victims of Avaddon ransomware, but hackers quickly updated malware code rendering it useless. The utility initially worked for victims that had not powered off their computers after infection.
Avaddon ransomware is a threat that bears a resemblance to Maze ransomware. It not only encrypts the victim’s data but also steals it and issues a threat to make it public via a data leak site. Avaddon operators have already released data from Liberty Linehaul and U.S. Auto Parts Network, Inc. One hallmark of this particular strain of ransomware it deletes backups. Although it practices the traditional removal of shadow copies of user’s files, this ransomware also deletes backups, disables auto repair and recovery, and empties the recycle bin. It can do this by escalating privileges with UAC, bypassing through CMSTPLUA COM interface exploitation.
The utility developed by Yuste dumped RAM in the infected computer and scanned it for data that would allow recovery of the encryption key.
According to ZDNet “If enough information is recovered, the tool can then be used to decrypt files and help victims recover from Avaddon attacks without needing to pay the gang’s ransom demand.”
Once the hackers behind Avaddon ransomware were informed of the availability of the decryption tool, they released an update for the infection that rendered the tool useless.
Security experts opine that the decision to release the decrypter publicly was a bad decision in instances where the decryption tool exploited flaws in the malware’s code because it allowed ransomware operators to fix the issues with their code. Also, the way that the Avaddon ransomware authors swiftly updated their code shows the effectiveness of their activities.