Kaspersky, Intel and Law Enforcement Launch No More Ransom Effort

By Sean Michael Kerner  |  Posted 2016-07-25 Print this article Print

NoMoreRansom.org provides decryption keys for Shade ransomware, with a plan to help end the scourge of ransomware.

Ransomware is a growing epidemic that is impacting users around the world, but an effort launched July 25 at NoMoreRansom.org is taking a definitive step to help reverse the trend. The No More Ransom effort is a partnership between Kaspersky Lab, Intel Security, Europol's European Cybercrime Centre, the Dutch High‐Tech Crime Unit and Amazon Web Services.

"We realized that the police cannot fight against cyber-crime, and ransomware in particular, alone, and security researchers cannot fight it without support from law enforcement agencies," Jornt van der Wiel, security researcher with the Global Research and Analysis Team at Kaspersky Lab, told eWEEK. "To be the most effective, law enforcement agencies and IT security companies have to work together around the globe."

One of No More Ransom's key assets is decryption keys for the Shade ransomware family. Shade is a popular ransomware Trojan that first emerged in 2014. Since then, Intel Security and Kaspersky have been able to block approximately 27,000 attempts to attack users with Shade. It's not clear how many users were infected with Shade, but thanks to the actions of law enforcement, victims now have an easy way to recover their data.

"Our law enforcement partners were able to seize components related to the [Shade] back end, and this allowed the extraction of decryption keys to be incorporated into a tool," Raj Samani, vice president and CTO at Intel Security, told eWEEK.

No More Ransom's Shade decryption tool has 160,000 keys that can help victims decrypt their data. Using the tool, users will need to run two commands via the command line, according to Samani. The first command requires a victim's "user ID" found in the ransom note created at the time of infection.

"Using this ID we will retrieve the associated private key from our servers," Samani said. "The affected user ID must be part of the takedown operation for this to be successful. If successful, then the user will run a second command that will decrypt their designated file using a downloaded private key."

NoMoreRansom.org partners don't contribute financially to the effort; rather, they contribute resources. How partners contribute resources depends on the investigation, van der Wiel said.

"In addition, we're very happy that Amazon is sponsoring the hosting of the Website," van der Wiel said.

While NoMoreRansom.org right now is providing decryption for the Shade ransomware family, the goal of the effort is much wider—helping with multiple forms of ransomware attacks.

"We want [NoMoreRansom.org] to become a powerful help center for anyone who becomes a victim of ransomware, be it the development and distribution of the new decryption tools or by starting a criminal investigation," van der Wiel said. "We expect to expand the project in the future with more decryption utilities."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel