Industry News

Buggy ransomware locks up your data, then throws away the encryption key

Normally when security researchers find a bug in a piece of malware the last thing they want to do is tell the malicious code’s creator about it.

After all, don’t bugs in bad software have to be a good thing? Well, that’s not necessarily the case.

Take, for instance, the Power Worm ransomware.

Normally ransomware encrypts your files, displays a ransom demand (which could cost you in the region of $1000, typically payable in the form of Bitcoins), and makes your data inaccessible until you pay up. Only the bad guys hold the key to decrypt your files – which means that your only options may be to pay the ransom or hope that you have a secure backup.

But, as Bleeping Computer reports, the Power Worm ransomware has one serious bug.

power-worm-screenshot

Source: Bleeping Computer

The author of this new variant of Power Worm – so named because it is written in Windows PowerShell – wanted to use the same decryption key for each infected PC. In their point of view I imagine it made some sense to take that shortcut – if everyone had the same decryption key, they could skip having to create a complicated payment site for victims and generating a unique decryptor for each “customer”.

But a goof in the Power Worm code means that a random key was used to encrypt each and every victim’s data. No record is kept of that random key, so recovery of the encrypted data is impossible.

Yes, I know it’s disappointing to find that malware can be just as buggy as legitimate software, and that the online criminals aren’t doing proper testing of their products before release.

But that’s why Bleeping Computer has taken the unusual step of telling the ransomware author how to fix the bug in their code:

At BleepingComputer we never disclose bugs in a ransomware infection as that will just alert the developer and cause them to fix the weakness. In this particular case, though, we are going to tell the developer how to fix his mistake so that he doesn’t continue to destroy his victim’s data going forward. In our opinion, if a person becomes infected, we would rather they have a fighting chance of recovering their files rather than no chance at all.

FBI agent Joseph Bonavolonta courted controversy last month when he told companies that in some cases ransomware was so competently written that the best choice may be to give in to the extortionists’ demands:

“The easiest thing may be to just pay the ransom. The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

Personally, although I understand the difficult situations businesses and home users might find themselves in and the tough decisions they may need to make, I’m not a fan of filling the bank accounts of criminals.

I guess we can thank the authors of Power Worm that they have thrown away their encryption key through a programming error –
making that usually tricky decision of whether to pay or not easy for its victims. There is simply no point paying the criminals if you have been hit by Power Worm, unless you made a backup your data is gone.

Don’t play Russian Roulette with your data and precious files. Ensure that you have a rigorous backup regime that will mean, even if you are unfortunate enough to suffer a damaging attack, you will always be able to restore your system from a backup.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • ‘But that’s why Bleeping Computer has taken the unusual step of telling the ransomware author how to fix the bug in their code:’

    I bet they *loved* that! Both Bleeping Computer and the malware writer!

    ‘FBI agent Joseph Bonavolonta courted controversy last month when he told companies that in some cases ransomware was so competently written that the best choice may be to give in to the extortionists’ demands:’

    I’d say the abbreviation in the beginning says it all. But to be fair, I’m not sure (without actually checking the full quote – something I can’t really be bothered to do – but it doesn’t seem like it – 100% certain – from the quote you have) it is suggesting they do pay so much as it would be the easiest thing.

    Of course that’s misguided as well – backing up (and test recovery) would be much better and easier once it is properly in place.

  • Back ups? Yes,Yes,Yes! Love them or not, Google does a great job of backing up most of my stuff automatically. And if I have to use the nuclear option, my backup is only a sign-in away to restore. Most people have lost data at some point in their lives, but never learn the multitude of ways to create safe,secured backups. I , like many,learned the hard way.