Kaspersky has released a decryption tool for the Polyglot ransomware to assist victims in recovering their files without giving in and paying a fee.
On Monday, the cybersecurity firm launched the free tool (.ZIP), which is suitable for the Polyglot Trojan which is also known as MarsJoke, a strain which has been linked to attacks on government targets.
Ransomware is a particularly nasty kind of malware which has hit the headlines over the past year after targeting victims including businesses, hospitals and universities. What makes the malware strain particularly devastating — for organizations and the general public alike — is its ability to take away access to files and content stored on a compromised machine.
Once ransomware such as MarsJoke, Cerber or CTB-Locker is downloaded and executed — often finding its way onto a PC through phishing emails or malicious links — the ransomware encrypts files and in some cases, full hard drives.
Once the victim can no longer access their machine, a holding page informs them that they must pay a “fee” in return for a decryption key which will release their content back to them.
Polyglot infects PCs through spam emails which have malicious RAR archives attached. When infecting a machine, this family of ransomware blocks access to files and then replaces the victim’s desktop wallpaper with the ransom demand, which is made in virtual currency Bitcoin.
Many types of ransomware will simply sit on the machine for the payment to be made. However, Polyglot insists on a payment deadline and if the blackmail fails and no money is sent to the operators, the malware will delete itself — leaving behind a machine with encrypted files and no way to retrieve them.
Until now, at least. Kaspersky’s tool will decrypt these machines and unlock user data.
According to the security firm, although Polyglot looks similar to the severe CTB-Locker ransomware, the malware uses a weak encryption key generator. On a standard home PC, it takes less than a minute to brute-force the full set of possible Polyglot decryption keys — which gives you an idea of actually how weak the malware is.
This weakness also provided a path for Kaspersky to exploit to create the decryption tool.
Anton Ivanov, senior malware analyst at Kaspersky Lab commented:
“This case teaches us to never give up: ransomware has become a serious problem for all users, but sometimes a solution can be found. In this case, the malware authors made an implementation mistake, making it possible to break the encryption.
However, users should not rely only on luck when it comes to ransomware. This case is the exception rather than the rule.”
If you are suffering from a different type of ransomware, it is worth checking out the No More Ransom project to see which decryption tools are available to you. The project is a joint initiative between Kaspersky Lab, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and Intel Security, designed to help users recover their data without giving into the cybercriminals and paying up.