

Ransomware Decryptor - touristtam
https://noransom.kaspersky.com/

======
lucb1e
As a Dutch person, I was confused about the Dutch police logo there (Politie
is Police in Dutch). Scrolled to the bottom to find affiliation or anything...
turns out it's right there in the first line.

I'm very pleasantly surprised to see our police doing something good! It's the
first time I've heard the Dutch digital police actually achieving anything,
and that is not exaggerated. Last time we provided an IP address involved in a
hack (the IP was from the same town as the company that got hacked, so it
wasn't masked), we never heard anything back, even though we know they have
the CIOT database with all Dutch IP addresses mapping to names and addresses.
But that was 2 years ago and there have been a lot of activities in training
policemen for digital investigations.

Although it's not entirely clear what exactly their involvement was, this is
nice!

~~~
thaumaturgy
That's not uncommon, unfortunately. I've off-and-on bothered to notify various
entities about bad behavior for the last 15 years or so. In most cases, it
goes completely ignored. Most recently, on April 2, I notified Rackspace's
abuse department that they were hosting a major fraud/scam site
(websitebackup.com, they send out fraudulent invoices and wait for non-tech-
savvy customers to send payment) and never heard back. Rackspace is still
hosting them.

It's just one of those facts of life: nobody really cares, not until they're
directly affected by it somehow.

~~~
lucb1e
Hold on, Rackspace is not police. You have no legal right to demand that they
cease to host anything and they have no legal obligation to look into anything
sent to that email address. The company that got hacked and reported it to the
police did: someone violated the law, we provided IP addresses and access logs
to make it a clear and simple case, and then they didn't even look into it.

~~~
thaumaturgy
Yes, and that's not uncommon, whether police or state agency or otherwise.

~~~
ersii
Just to be crispy clear, did you report the incident to the police or to some
other state agency as well? Or only to Rackspace?

~~~
thaumaturgy
Naw, that one just went to Rackspace. In the interests of clarity, I have also
reported a thing here and there to local law enforcement over the years, but
the experience was completely the same.

------
IgnotisAnon
Keep in mind that this only works for people infected with CoinVault, and
Kaspersky didn't get all the keys. The title is misleading here. Still, if you
are infected by CoinVault or know somebody who is, this is a great thing to
try.

------
mef
In the manual[0] they have "Remove CoinVault" as a step to do before you check
whether the Kaspersky site has the key that will decrypt your files.

People probably want to keep CoinVault around in case the key isn't known and
they want to pay the ransom.

[0] [https://noransom.kaspersky.com/static/convault-decrypt-
manua...](https://noransom.kaspersky.com/static/convault-decrypt-manual.pdf)

~~~
ikeboy
Don't know about Coinvault specifically, but others give you a program along
with the key if you pay.

Besides, you can always use Kaspersky's tool with a paid for key.

------
Animats
Key distribution is a problem even for ransomware. It looks like the
decryption key is a function of the Bitcoin address to which ransom is sent.
That should eliminate the need for a server controlled by the ransomware
people to return keys.

What does "check payment and receive keys" really do? Does it check the
Bitcoin block chain to see if payment has been made, then calculate the
decryption key? Is this entirely blockchain-based?

~~~
3pt14159
I'm guessing that when a cyber criminal is caught they add all retrieved
private keys to the police's keychain. Even a symmetrically signed key
(passworded) can be brute forced or the arrested can be court compelled to
decrypt the key.

~~~
duaneb
AES cannot be trivially brute forced. The key phrase is also unlikely to be
trivial because the convenience has no value.

~~~
will_hughes
I don't understand, perhaps I'm misunderstanding the situation.

GP is saying that if the [private] key is password protected, it can be brute
forced. Surely if a human is able to type in the password to the private key,
you can bute force that password relatively easily?

~~~
duaneb
With cooperation, yes, without it, no. A password doesn't need to be too long
to grow the key space to large enough all the computers in the world couldn't
scratch the surface.

Of course, there are many other factors that can significantly decrease or
break the security of AES.

TL;DR xkcd.com/538

------
ikeboy
For how they built it, see [https://securelist.com/blog/69595/challenging-
coinvault-its-...](https://securelist.com/blog/69595/challenging-coinvault-
its-time-to-free-those-files/)

~~~
terminado
That link does not explain how they're managing to obtain the correct key from
the server without paying money.

So they were able to dump a memory segment into a hex editor, and locate
references to RijndaelManaged. So what?

In the screenshot, I still see:

    
    
      Server.GetKey().Key
    

So how did they convince the malicious server to cough up the token for free?

~~~
fragmede
The article states they "...obtained a database from a CoinVault command &
control server (containing IVs, Keys and private Bitcoin wallets)."

Reading between the lines, the police located the server, served a subpoena to
the hosting company, and took possession of the server. They then turned it
over to Kaspersky who created the site based on the keys on that server.

The screen dumps are just showing how they figured out the decryption routine
- the private key alone doesn't do you much good if you don't know the
algorithm used.

------
bbcbasic
The best Ransomeware Decryptor is the backup you took last night. Which
reminds me ... :-)

~~~
hnarn
Why assume that no-one who ever got caught by ransomware had any backups? As
far as I know, the way most ransomware works is that it not only encrypts your
entire drive, but also any network drives it has access to, any external
drives, and so on. It's quite possible someone with a backup regiment was
still affected because they left a link to their backup system open,
encrypting that as well. I think most people mainly care about backups being
off-site, not them being "de-linked" and unaccessible.

~~~
seszett
> _I think most people mainly care about backups being off-site, not them
> being "de-linked" and unaccessible._

Then they don't understand backups - what's the use of backups if _rm -rf /_
erases them as well because they're permanently mounted at /srv/backup?

------
eugeneionesco
>During our joint investigation we have been able to obtain data that can help
you to decrypt the files being held hostage on your PC.

Obtain data? How? :)

~~~
ikeboy
[http://www.pcworld.com/article/2909292/files-encrypted-by-
co...](http://www.pcworld.com/article/2909292/files-encrypted-by-coinvault-
ransomware-new-free-tool-may-decrypt-them.html)

>The National High Tech Crime Unit (NHTCU) of the Dutch police recently
obtained a database from a CoinVault command-and-control server containing
decryption keys, the Dutch police said in a news release. The information
obtained from that database allowed Kaspersky to build a decryption tool.

~~~
hnarn
>a CoinVault command-and-control server

So, is there anything stopping them from setting up new servers with new keys
and starting the goose chase all over again?

~~~
ikeboy
No. In fact, this already happened before, see
[https://www.decryptcryptolocker.com/](https://www.decryptcryptolocker.com/).

It helps some people already infected.

------
techwatching
This originally hit the news 10 days ago: [http://techwatching.com/page/there-
s-finally-a-tool-to-free-...](http://techwatching.com/page/there-s-finally-a-
tool-to-free-you-from-the-ransomware-holding-your-pc-hostage)

~~~
touristtam
Yeah, somehow no one on HN upvoted the stories, previously posted, about it.
And, for once, I am glad I didn't do my usual search before posting. Otherwise
this is a tool that wouldn't have had much exposure among the HN crowd. But
this is a different topic altogether. ;)

------
theandrewbailey
I would suspect that the keys would be different for each infection. But then
considering this is software made by criminals, I would not expect even the
most sensible or trivial of features and security precautions would be
implemented.

~~~
fragmede
> I would suspect that the keys would be different for each infection.

They are. CryptoLocker[1], which CoinVault is _loosely_ based on, used per
infection keys, and the warnings on the Kaspersky site make it clear they
don't believe they got all the keys, which would mean there's more than a few
keys.

[1]
[http://en.wikipedia.org/wiki/CryptoLocker](http://en.wikipedia.org/wiki/CryptoLocker)

> But then considering this is software made by criminals, I would not expect
> even the most sensible or trivial of features and security precautions would
> be implemented.

I'd advise against underestimating your enemy in this global age. These aren't
petty thieves akin to digital purse snatchers, working haphazardly, but the
work of a few motivated individuals, likely with ties to organized crime.

~~~
Strom
In my experience, most malware creators are pretty terrible. Even in 2015 it's
common for malware to communicate with C&C servers that have classic SQL
injection vulnerabilities.

More specifically on the topic of ransomware, have a look at this gem [1],
which uses RSA, but the key is 128 ASCII digits. Very similar to the cryptocat
disaster. [2]

[1]
[http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt...](http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt-
broken)

[2] [http://tobtu.com/decryptocat.php](http://tobtu.com/decryptocat.php)

~~~
ikeboy
There's also cryptodefense, which generated the keys locally. (See
[https://archive.is/1AGHG](https://archive.is/1AGHG), original source doesn't
load for me.)

------
michaelmior
The title appears to have a typo: ransomEware.

