Stung By File-Encrypting Malware, Researchers Fight Back

itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."

Wich only serves to further

[Wapiti-eater]

The myth that the 'security' industry is at the root of the problem

Re:Wich only serves to further

Yeah, it would've been much harder for the attackers to reverse his utility right? Anything that monitors file accesses would've seen what files it was accessing. I don't disagree the AV company made a mistake because they wanted publicity but I don't think what they did was as significant as you might think.

Re:Wich only serves to further

[mysidia]

Because, if you publicize how you caught their error, they can fix it.

Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.

Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.

It also helps their product by making sure the authors of ransomware learn from mistakes, so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.

Re:disclosure

[Last_Available_Usern]

It must be at least mildly effective if the only legitimate means of unencrypting the data was a copy of the keys that only a set of researchers dedicated to the issue were able to find.

Re:fake website

[gstoddart]

It has an "onunload" function that pops up an error message

And this is why I don't allow javascript to run on arbitrary sites.

Because javascript can be used to do way too many annoying things. Like websites which think they can disable my right click (so I can use the back button) because they think I'm going to steal their images.

It's also why Flash doesn't get installed on machines I control.

Re:disclosure

[marciot]

I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.

I think recent events have shown that relying on security of any kind leads to a false sense of security (examples: NSA backdoors, OpenSSL bugs, WEP vunerabilities, etc). We'd all be much safer if we simply assumed there was no such thing as security.

Future victims should sue Symantec

[leereyno]

Future victims of this criminal organization should sue Symantec.

Class action lawsuit.

I also think that criminal charges for aiding and abetting would apply as well.