For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life.

But it can get even worse, as some execs who had been infected with Hazard ransomware recently found out. After paying the ransom in exchange for a decryptor to restore the encrypted files, the decryptor did not work.

The Register did not talk to the victim organization in this case - its executives declined to be interviewed about their experience - so we don't know the specifics including sector, ransom demand, what files were locked up, etc.

Still, we assume that coming to the conclusion that the best way out of the situation was to pay the extortionists - for concerns about customers' and employees' data privacy, or to bring business operations back online, or to minimize reputational damage, or because there just weren't any backups (oops) - was a pretty painful decision in itself.

But then to pay the criminals and still not be able to recover the files? That's excruciating.

"Ransomware as a whole is extremely stressful for the victim," said Mark Lance, ransomware negotiator with GuidePoint Security. "Now in this circumstance, specifically, where they've made the payment and the decryption tools don't work," the stress levels ratcheted up several notches.

We had two that occurred, where the decryption tools didn't work, in the span of the week.

"In this, and in a lot of situations like this one, they're relying heavily on those decryption capabilities working on certain systems so that they can recover operations," Lance told The Register. "So the stress substantially increases because they're like, 'Hey, we made this large ransom payment amount with established terms that said if we paid we're going to get access.'"

The infected organization obtained an updated version of the decryptor, but that wasn't working either. A third-party company that had been involved in the ransomware negotiations called in GuidePoint, which first tried the criminals' "technical support" desk and told them that the victim needed a different version of the decryptor.

But instead of providing a tool to unlock the encrypted files, the criminals sent over a renamed version of the previous decryptor. "And at that point, they went quiet and were no longer communicating with the victim," Lance said. "I think, in this instance, it was probably over the heads of the technical support team."

Whatever the reason, the org couldn't access the locked files, and the Hazard ransomware crew disappeared. Eventually, GuidePoint was able to patch the decryptor binary and then brute-force 16,777,216 possible values until it found the missing bytes - ultimately decrypting the files.

It's a good reminder, however, that paying a ransom isn't a guarantee of data recovery.

What to expect when you're decrypting

"One of our primary tasks is educating the victims on what they can expect and what is going to transpire as part of the ransomware incident," Lance explained. "We're also always establishing that regardless of anything that is agreed to, you're still dealing with criminals - these are the same people who are extorting you for money. Despite how they love to talk about how they're doing you favors, and they have a 100 percent success rate for decryption, you're dealing with cyber criminals, so you can't trust them."

The frequency of instances like this, where the decryptor doesn't work, "ebbs and flows," he added.

GuidePoint hadn't had it happen in months during the ransomware negotiations and incident responses the team had performed, "but then we had two that occurred, where the decryption tools didn't work, in the span of the week."

Some of the more "sophisticated" ransomware-as-a-service groups have internal technical support teams to perform more advanced troubleshooting. Lance noted his team has seen these crews escalate the problem to the more technically advanced members of the crime gang when things break - just like a regular, non-criminal IT operation.

There's also the newbies and the less sophisticated crews that lack the technical skills or even the reputational concerns - more about that in a moment - to even attempt next-level data recovery activities.

Ultimately, the reasons why decryption tools don't work vary. In the Hazard ransomware incident, the decryptor had a bug. Sometimes the gangs provide a tool for the wrong environment, also rendering it useless. Or sometimes they just decide to screw over the victims. 

The latter doesn't happen too frequently - this is a business for these crooks, and if they earn a reputation for not decrypting data even after receiving a ransom payment, they aren't going to continue making money off of future victims.

All of these factors should be taken into consideration by the infected businesses, and they play into the education piece that GuidePoint and other incident responders bring to victims once they've been hit.

"We have made a lot of progress in education and awareness," Lance explained. "People understand that this is not just a security or IT problem, but it is a business problem, and people are seeing the true impacts associated with ransomware."

He added that while there used to be more of a stigma attached to disclosing ransomware attacks, "we're seeing more of a trend where people are saying we are being impacted, so let's make sure that other people have the opportunity to learn and leverage what we are going through so hopefully they don't." ®

https://www.theregister.com//2024/09/11/ransomware_decryptor_not_working/