3 min read

Buggy ransomware locks up your data, then throws away the encryption key

Graham CLULEY

November 10, 2015

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Buggy ransomware locks up your data, then throws away the encryption key

Normally when security researchers find a bug in a piece of malware the last thing they want to do is tell the malicious code’s creator about it.

After all, don’t bugs in bad software have to be a good thing? Well, that’s not necessarily the case.

Take, for instance, the Power Worm ransomware.

Normally ransomware encrypts your files, displays a ransom demand (which could cost you in the region of $1000, typically payable in the form of Bitcoins), and makes your data inaccessible until you pay up. Only the bad guys hold the key to decrypt your files – which means that your only options may be to pay the ransom or hope that you have a secure backup.

But, as Bleeping Computer reports, the Power Worm ransomware has one serious bug.

power-worm-screenshot

Source: Bleeping Computer

The author of this new variant of Power Worm – so named because it is written in Windows PowerShell – wanted to use the same decryption key for each infected PC. In their point of view I imagine it made some sense to take that shortcut – if everyone had the same decryption key, they could skip having to create a complicated payment site for victims and generating a unique decryptor for each “customer”.

But a goof in the Power Worm code means that a random key was used to encrypt each and every victim’s data. No record is kept of that random key, so recovery of the encrypted data is impossible.

Yes, I know it’s disappointing to find that malware can be just as buggy as legitimate software, and that the online criminals aren’t doing proper testing of their products before release.

But that’s why Bleeping Computer has taken the unusual step of telling the ransomware author how to fix the bug in their code:

At BleepingComputer we never disclose bugs in a ransomware infection as that will just alert the developer and cause them to fix the weakness. In this particular case, though, we are going to tell the developer how to fix his mistake so that he doesn’t continue to destroy his victim’s data going forward. In our opinion, if a person becomes infected, we would rather they have a fighting chance of recovering their files rather than no chance at all.

FBI agent Joseph Bonavolonta courted controversy last month when he told companies that in some cases ransomware was so competently written that the best choice may be to give in to the extortionists’ demands:

“The easiest thing may be to just pay the ransom. The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

Personally, although I understand the difficult situations businesses and home users might find themselves in and the tough decisions they may need to make, I’m not a fan of filling the bank accounts of criminals.

I guess we can thank the authors of Power Worm that they have thrown away their encryption key through a programming error –
making that usually tricky decision of whether to pay or not easy for its victims. There is simply no point paying the criminals if you have been hit by Power Worm, unless you made a backup your data is gone.

Don’t play Russian Roulette with your data and precious files. Ensure that you have a rigorous backup regime that will mean, even if you are unfortunate enough to suffer a damaging attack, you will always be able to restore your system from a backup.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader