3 min read

Buggy ransomware locks up your data, then throws away the encryption key

Graham CLULEY

November 10, 2015

Buggy ransomware locks up your data, then throws away the encryption key

Normally when security researchers find a bug in a piece of malware the last thing they want to do is tell the malicious code’s creator about it.

After all, don’t bugs in bad software have to be a good thing? Well, that’s not necessarily the case.

Take, for instance, the Power Worm ransomware.

Normally ransomware encrypts your files, displays a ransom demand (which could cost you in the region of $1000, typically payable in the form of Bitcoins), and makes your data inaccessible until you pay up. Only the bad guys hold the key to decrypt your files – which means that your only options may be to pay the ransom or hope that you have a secure backup.

But, as Bleeping Computer reports, the Power Worm ransomware has one serious bug.

power-worm-screenshot

Source: Bleeping Computer

The author of this new variant of Power Worm – so named because it is written in Windows PowerShell – wanted to use the same decryption key for each infected PC. In their point of view I imagine it made some sense to take that shortcut – if everyone had the same decryption key, they could skip having to create a complicated payment site for victims and generating a unique decryptor for each “customer”.

But a goof in the Power Worm code means that a random key was used to encrypt each and every victim’s data. No record is kept of that random key, so recovery of the encrypted data is impossible.

Yes, I know it’s disappointing to find that malware can be just as buggy as legitimate software, and that the online criminals aren’t doing proper testing of their products before release.

But that’s why Bleeping Computer has taken the unusual step of telling the ransomware author how to fix the bug in their code:

At BleepingComputer we never disclose bugs in a ransomware infection as that will just alert the developer and cause them to fix the weakness. In this particular case, though, we are going to tell the developer how to fix his mistake so that he doesn’t continue to destroy his victim’s data going forward. In our opinion, if a person becomes infected, we would rather they have a fighting chance of recovering their files rather than no chance at all.

FBI agent Joseph Bonavolonta courted controversy last month when he told companies that in some cases ransomware was so competently written that the best choice may be to give in to the extortionists’ demands:

“The easiest thing may be to just pay the ransom. The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

Personally, although I understand the difficult situations businesses and home users might find themselves in and the tough decisions they may need to make, I’m not a fan of filling the bank accounts of criminals.

I guess we can thank the authors of Power Worm that they have thrown away their encryption key through a programming error –
making that usually tricky decision of whether to pay or not easy for its victims. There is simply no point paying the criminals if you have been hit by Power Worm, unless you made a backup your data is gone.

Don’t play Russian Roulette with your data and precious files. Ensure that you have a rigorous backup regime that will mean, even if you are unfortunate enough to suffer a damaging attack, you will always be able to restore your system from a backup.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read