Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victim’s network, according to a recent article published in Bleeping Computer.
The first was Colonial Pipeline, which paid a $4.4 million ransom for a decryptor after being attacked by the DarkSide ransomware operation.
However, the decryptor was so slow that the company resorted to restoring from backups.
“Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said,” reported Bloomberg.
The more recent victim is HSE, the national healthcare system of Ireland, which was hit by a Conti ransomware attack but refused to pay a ransom.
Likely, realizing they made a mistake targeting a government agency, they released a free decryptor for the attack.
However, testing the decryptor found it too slow, so HSE worked with New Zealand cybersecurity firm Emsisoft to use their decryptor, which is allegedly twice as fast.
Emsisoft’s Universal Decryptor
After learning about Emsisoft’s decryptor, BleepingComputer reached out to Emsisoft CTO Fabian Wosar to learn more about how HSE was using it.
While Wosar refused to share information about their work with HSE, he explained that they created their ‘Universal Decryptor’ after that ransomware operations do a horrible job when decrypting files.
For example, Ryuk ransomware’s decryptor was known to have problems decrypting large files, leading to data corruption. Similarly, a bug in Babuk Locker’s decryptor caused data loss when decrypting ESXi servers.
In addition to the bugs, Wosar told BleepingComputer that ransomware operations’ decryptors are “atrociously slow”, which makes them a lot less effective than restoring files from backups.
While Emsisoft’s decryptor was designed for data safety, it is also much faster than ransomware gang’s decryptors. Since the tool comes from a well-known and respected cybersecurity company, it also eliminates the need to check the threat actor’s decryptor for malicious behavior.
“We usually cut days off. Because no reversing needed to make sure it’s safe, no backups that need to be done first, easier deployment, better logs, and ultimately we end up being much, much faster,” Wosar told BleepingComputer.
Wosar also stated that it is not unheard of for victims to be affected by multiple ransomware attacks simultaneously, which prompted Emsisoft to adapt their decryptor to be able to load in multiple decryption keys from different ransomware families and decrypt the files in one go.
“More than 50 ransomware families and major variants are supported by the decryptor,” explained Wosar.
Testing Emsisoft’s decryptor
Wosar agreed to allow BleepingComputer to test their decryptor against publicly available samples of Conti and DarkSide and their respective decryptors previously shared on malware analysis sites.
As part of our tests, we used a Windows 7 2 CPU virtual machine with a small 44.8 GB drive and 35.1 GB of used space.
While these specs are grossly different than what would be used in real-life scenarios, they still allow us to gauge the difference in speed between the Emsisoft decryptor and the ones provided by ransomware gangs.
In our first test, we encrypted our virtual machine with the Conti ransomware, which took approximately nine minutes.
While the Conti-provided decryptor decrypted the files in 22 minutes, Emsisoft’s decryptor was approximately 41% quicker than the threat actor’s decryptor as it got the job done in only 13 minutes, saving 9 minutes.
We then performed a similar test with a DarkSide ransomware sample, which took only six minutes to encrypt our device.
Using the DarkSide decryptor took 29 minutes to decrypt our test files, while Emsisoft’s decryptor took only 18 minutes. This makes Emsisoft’s decryptor 37% faster in our tests, but Wosar states that machines with more CPUs will perform better.
With victims commonly having thousands of devices and terabytes of data to decrypt, 37 to 41% faster decryption speeds are significant and can shave off days, if not weeks, from a restoration process.
Emsisoft charges for their restoration services, where they analyze the particular ransomware and create customized decryptors, but provides free support to organizations in healthcare.